CN104253692B - Key management method and device based on SE - Google Patents

Key management method and device based on SE Download PDF

Info

Publication number
CN104253692B
CN104253692B CN201410028406.0A CN201410028406A CN104253692B CN 104253692 B CN104253692 B CN 104253692B CN 201410028406 A CN201410028406 A CN 201410028406A CN 104253692 B CN104253692 B CN 104253692B
Authority
CN
China
Prior art keywords
key
publisher
mac
symmetric
mentioned
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201410028406.0A
Other languages
Chinese (zh)
Other versions
CN104253692A (en
Inventor
孙贵成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING INTELACTIVE TECHNOLOGY Co Ltd
Original Assignee
BEIJING INTELACTIVE TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING INTELACTIVE TECHNOLOGY Co Ltd filed Critical BEIJING INTELACTIVE TECHNOLOGY Co Ltd
Priority to CN201410028406.0A priority Critical patent/CN104253692B/en
Publication of CN104253692A publication Critical patent/CN104253692A/en
Application granted granted Critical
Publication of CN104253692B publication Critical patent/CN104253692B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiments of the invention provide a kind of key management method and device based on SE, including:SE publisher initializes to the SE, generates the mark and MAC keys of the SE;SE is verified by the SE publisher using square or described SE generations symmetric key using the MAC keys to the symmetric key;After the symmetric key is verified, the SE and the SE application sides are stored the symmetric key.The shortcomings that easily tracked so as to be forged and distort in the data transmission to realize, and private key is easily revealed, so as to reduce the risk of encryption data leakage.

Description

Key management method and device based on SE
Technical field
The present invention relates to field of information security technology, more particularly to a kind of key management method and device based on SE.
Background technology
With the development of computer, the safety problem in network is also on the rise.In transmission control protocol, the number of transmission According to all to be transmitted in plain text, so inherently safe defect be present, the important means for solving this problem is exactly that data add Close, in modern network communication, the awareness of safety of people is more and more stronger, and the application of cryptography is also more and more extensive.
Encryption technology is the main security secrecy provision that ecommerce is taken at present, is the most frequently used safe and secret means, Using technological means important data be changed into mess code (encryption) send, after arriving at again with identical or different means also Former (decryption).Encryption technology includes two elements:Algorithm and key.Algorithm is by common text (or the letter being appreciated that Breath) with a combination for altering digital (key), the step of producing impenetrable ciphertext, key be for data are carried out coding with A kind of algorithm of decoding.In safe and secret, the letter of network can be ensured by appropriate Key Encryption Technology and administrative mechanism Cease communication security.
The cipher system of Key Encryption Technology is divided into two kinds of standard-key cryptography and Asymmetric encryption.Correspondingly, it is right The technology of data encryption is divided into two classes, i.e. symmetric cryptography (private key cryptographic) and asymmetric encryption (public key encryption).It is right Claim encryption with DES (Data Encryption Standard, data encryption standards) algorithm for Typical Representative;Asymmetric encryption leads to Often with RSA (Rivest Shamir Ad1eman, public key encryption algorithm) algorithm for representative.The encryption key of symmetric cryptography is conciliate Key is identical;And the encryption key of asymmetric encryption is different with decruption key, encryption key can disclose and decruption key needs Maintain secrecy.
It is above-mentioned it is of the prior art data are encrypted method the shortcomings that be:Data are encrypted using software and deposited It is easily tracked so as to be forged and distort in the data transmission in certain security risk, and private key is easily revealed.
The content of the invention
To solve the above problems, the embodiment provides a kind of key management method and device based on SE, with Realization passes through hardware encryption data, reduces the risk of password leakage.
A kind of key management method based on SE, it is characterised in that including:
SE publisher initializes to the SE, generates the mark and MAC keys of the SE;
SE is using square or described SE generations symmetric key, by the SE publisher using the MAC keys to described Symmetric key is verified;
After the symmetric key is verified, the SE and the SE application sides are stored the symmetric key.
The SE publisher initializes to the SE, generates the mark and MAC keys of the SE, including:
SE described in the SE distribution direction sends mark and the public key of the SE publisher;
The mark is written in the SE by the SE, as the mark of the SE, and generates MAC keys, by described in MAC keys are encrypted using the public key of the SE publisher, and the data after encryption are sent into the SE publisher;
The SE publisher produces generation unsymmetrical key request, and the generation unsymmetrical key request is sent into institute State SE;
The SE will include the unsymmetrical key according to the generation unsymmetrical key request generation unsymmetrical key pair Public key certificate application request be sent to the SE publisher.
The SE is using a key in the unsymmetrical key as the public key of oneself.
The SE is using side or SE generation symmetric keys, by the SE publisher using the MAC keys to described Symmetric key verified, including:
SE described in the SE application directions sends the generation symmetric key request of the public key for carrying oneself and key parameter;
The SE generates symmetric key according to the key parameter carried in the generation symmetric key request, uses the SE The symmetric key is encrypted using the public key of side, and the data after encryption are gone out accordingly using the MAC cipher key calculations MAC cipher key values, the data after the encryption and the MAC cipher key values are sent to the SE application sides;
Data after the encryption received and the MAC cipher key values are sent to the SE and issued by the SE application sides Side, the SE publisher verify to the MAC cipher key values;
After the SE publisher is verified to the MAC cipher key values, transmission is verified instruction message to institute State SE application sides;
The SE application sides receive it is described after being verified instruction message, using the private key of itself to the encryption after Data are decrypted, and obtain the symmetric key, and store.
The SE is using side or SE generation symmetric keys, by the SE publisher using the MAC keys to described Symmetric key verified, including:
SE described in the SE application directions, which is sent, obtains public key request;
The SE sends the public key of itself to the SE application sides according to the acquisition public key request;
The SE application sides generate symmetric key, and the symmetric key is encrypted using the public key of the SE, obtain Symmetric key after to encryption;
SE publisher described in the SE application directions sends the symmetric key after the encryption, and the SE publisher utilizes institute The MAC keys for stating SE calculate MAC cipher key values to the symmetric key after the encryption, and the MAC cipher key values are sent To the SE application sides;
The SE application sides are imported using the symmetric key after the encryption and MAC cipher key values generation key please Ask, and key importing request is sent to the SE;
After the SE receives the key importing request, the MAC cipher key values are verified, are being verified Afterwards, the symmetric key after the encryption is decrypted using the private key of itself, obtains the symmetric key, and preserve.
The SE includes:Global Subscriber identification card, mobile terminal, safe digital card.
A kind of key management apparatus based on SE, it is characterised in that including:SE, SE publisher and SE application sides,
Described SE publisher, for being initialized to the SE, generate the mark and MAC keys of the SE;
SE, for generating symmetric key, the MAC keys pair is utilized by the SE publisher using square or described SE The symmetric key is verified;
The SE and the SE application sides, are additionally operable to after the symmetric key is verified, the symmetric key are entered Row storage.
The SE publisher, for sending mark and the public key of the SE publisher to the SE;
The SE, for the mark to be written in the SE, as the mark of the SE, and MAC keys are generated, will The MAC keys are encrypted using the public key of the SE publisher, and the data after encryption are sent into the SE publisher;
The SE publisher, hair is asked for producing generation unsymmetrical key request, and by the generation unsymmetrical key Give the SE;
The SE, for according to the generation unsymmetrical key request generation unsymmetrical key pair, it to be described non-right to include The certificate request request of key pair is claimed to be sent to the SE publisher.
The SE, it is additionally operable to using a key in the unsymmetrical key as the public key of oneself.
The SE application sides, the generation symmetric key of public key from carrying oneself to the SE and key parameter for sending please Ask;
The SE, for generating symmetric key according to the key parameter carried in the generation symmetric key request, use The symmetric key is encrypted the public key of the SE application sides, and the data after encryption are used into the MAC cipher key calculations Go out corresponding MAC cipher key values, the data after the encryption and the MAC cipher key values are sent to the SE application sides;
The SE application sides, it is described for the data after the encryption received and the MAC cipher key values to be sent to SE publisher;
The SE publisher, for being verified to the MAC cipher key values, the SE publisher is to the MAC keys After numerical value is verified, transmission is verified instruction message to the SE application sides;
The SE application sides, for receive it is described be verified instruction message after, using the private key of itself to described plus Data after close are decrypted, and obtain the symmetric key, and store.
The SE application sides, public key request is obtained for being sent to the SE;
The SE, for sending the public key of itself to the SE application sides according to the acquisition public key request,
The SE application sides, the symmetric key is added for generating symmetric key, and using the public key of the SE It is close, the symmetric key after being encrypted, and the symmetric key after encrypting is sent to the SE publisher;
The SE publisher, it is close that MAC is calculated to the symmetric key after the encryption for the MAC keys using the SE Key numerical value, and the MAC cipher key values are sent to the SE application sides;
The SE application sides, for being led using the symmetric key after the encryption and MAC cipher key values generation key Enter request, and key importing request is sent to the SE;
The SE, after receiving the key importing request, the MAC cipher key values are verified, verified By rear, the symmetric key after the encryption is decrypted using the private key of itself, obtains the symmetric key, and preserve.
The SE includes:Global Subscriber identification card, mobile terminal, safe digital card.
The embodiment of the present invention provides one kind and is based on SE it can be seen from the technical scheme provided by embodiments of the invention described above Key management method, the SE is initialized by SE publisher, SE using square or SE generation symmetric keys, Verified by SE publisher's symmetric key, the SE and the SE application sides are stored the symmetric key. Prevent from, when operating using software, being traced during data transfer, key is decrypted so as to reach;And reduce private key and let out Reveal and cause the stolen risk of data.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill of field, without having to pay creative labor, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is a kind of process chart for key management method based on SE that the embodiment of the present invention one provides;
Fig. 2 is a kind of initialization flowchart for SE that the embodiment of the present invention one provides;
Fig. 3 is that a kind of SE that the embodiment of the present invention one provides generates symmetric key process chart;
Fig. 4 is the process chart that a kind of SE application sides that the embodiment of the present invention one provides generate symmetric key;
Fig. 5 is a kind of schematic diagram for key management apparatus based on SE that the embodiment of the present invention two provides.
Embodiment
For ease of the understanding to the embodiment of the present invention, solved below in conjunction with accompanying drawing is further by taking specific embodiment as an example Explanation is released, and each embodiment does not form the restriction to the embodiment of the present invention.
Embodiment one
The embodiment of the present invention one provides a kind of key management method based on SE, including:SE publisher is carried out just to SE Beginningization, above-mentioned SE utilize MAC keys to above-mentioned right using square or above-mentioned SE generations symmetric key, and by above-mentioned SE publisher Key is claimed to be verified that after being verified, above-mentioned SE and above-mentioned SE application sides are stored above-mentioned symmetric key.Pass through profit Above-mentioned symmetric key is encrypted with the public key of the public key in above-mentioned SE or above-mentioned SE application sides, so as to strengthen the peace of data Quan Xing.Above-mentioned MAC keys include MAC keys.
Above-mentioned SE is that safety element there may be in multiple hardwares, is included in SIM card, SD card or mobile terminal, the SE Possess operational capability, it can complete unsymmetrical key encryption and decryption and symmetric key encryption process, can to cryptographic key, plus Key, operator key, communication key provide safer protection.
The principle and feature of the present invention are described below in conjunction with accompanying drawing, the given examples are served only to explain the present invention, and It is non-to be used to limit the scope of the present invention.
This embodiment offers a kind of process chart of the key management method based on SE as shown in figure 1, including as follows Processing step:
Step S110:SE publisher initializes to above-mentioned SE, generates above-mentioned SE mark and MAC keys.Needing Using SE protection key it is safe when, the SE is initialized first, initialization complete could carry out after the step of.
Step S120:SE is close using above-mentioned MAC by above-mentioned SE publisher using square or above-mentioned SE generations symmetric key Key is verified to above-mentioned symmetric key.When above-mentioned SE application sides need to use SE to ensure password or data safety, it is necessary to First symmetric key is stored on above-mentioned SE.Above-mentioned symmetric key includes two kinds of generating modes, and one kind is generated by the SE, is passed to Above-mentioned SE application sides;Another way is generated by above-mentioned SE application sides, then symmetric key is imported into the SE.
Step S130:After above-mentioned symmetric key is verified, above-mentioned SE and above-mentioned SE application sides are by above-mentioned symmetric key Stored.
A kind of initialization flowchart for SE that the embodiment of the present invention one provides to above-mentioned steps S110 as shown in Fig. 2 make Further explanation, comprise the following steps:
Step S21:Above-mentioned SE publisher sends the public key and correlation of above-mentioned mark and above-mentioned SE publisher to above-mentioned SE Parameter, above-mentioned parameter include, the mark of the SE.Above-mentioned SE must be carried out initial by above-mentioned SE publisher to the SE before the use Change, content includes:SE mark is set, generates MAC keys, generates unsymmetrical key pair.It is in order to above-mentioned to set SE to identify SE publisher identifies each SE, and generation MAC keys are to information authentication be carried out in data transmission procedure, so as to ensure Data are not tampered with and forged in transmitting procedure.
Step S22:Above-mentioned mark is written in itself by above-mentioned SE, as above-mentioned SE mark, and generates MAC keys, The MAC keys of generation are encrypted using the public key of above-mentioned SE publisher, and the data after encryption are sent to above-mentioned SE and sent out Row side.After SE write-in marks, that is, there is unique mark, so that each SE is identified above-mentioned SE publisher, and pass through The authenticity of the above-mentioned SE identity of MAC key authentications, and after above-mentioned MAC keys are encrypted using the public key of above-mentioned SE publisher The SE publisher is sent to, to ensure safety of the data in transmission process.
Step S23:Above-mentioned SE publisher produces generation unsymmetrical key request, and above-mentioned generation unsymmetrical key is asked It is sent to above-mentioned SE.Above-mentioned SE publisher needs to ask the SE to generate unsymmetrical key pair, and by above-mentioned unsymmetrical key One key is as the public key of oneself, so as to which symmetric key is encrypted.The generation unsymmetrical key that the SE publisher sends Request includes:SE marks, force more new logo, algorithm mark, key length, PIN code, MAC cipher key index.
Step S24:The generation unsymmetrical key request generation unsymmetrical key that above-mentioned SE is sent according to above-mentioned SE publisher It is right, and the certificate request request comprising above-mentioned unsymmetrical key pair is sent to above-mentioned SE publisher.
The embodiment of the present invention one provide a kind of SE generation symmetric key process chart as shown in figure 3, specifically include as Lower step:
Step S31:Above-mentioned SE application sides have a pair of unsymmetrical key, will carry the public key and key parameter of oneself first The request of generation symmetric key be sent to above-mentioned SE, ask the SE to generate symmetric key, above-mentioned key parameter includes:The class of key Length of type and key etc..
Step S32:The request of generation symmetric key and the key of carrying that above-mentioned SE is sent according to above-mentioned SE application sides are joined Number generation symmetric keys, and above-mentioned symmetric key are encrypted using the public key of above-mentioned SE application sides, and by the number after encryption Go out corresponding MAC cipher key values according to using the MAC cipher key calculations in above-mentioned SE, then by the data after above-mentioned encryption and above-mentioned MAC Cipher key values are sent to above-mentioned SE application sides, to complete the generation of above-mentioned symmetric key and the symmetric key be encrypted, And safety of the data in transmitting procedure is ensured by above-mentioned MAC keys.
Step S33:Data after the above-mentioned encryption received and above-mentioned MAC cipher key values are sent to by above-mentioned SE application sides SE publisher is stated, so that above-mentioned SE publisher verifies to above-mentioned MAC cipher key values, so as to confirm to ensure that data are being transmitted across It will not be tampered in journey.
Above-mentioned SE generation symmetric key needs to verify MAC keys by above-mentioned SE publisher, when the SE publisher need to It is required for input SE marks to be identified when preserving data on the SE, and in order to prevent data to be forged and usurp in transmitting procedure Change, MAC cipher key values need to be calculated.
Step S34:After above-mentioned SE publisher receives the data after above-mentioned encryption and above-mentioned MAC cipher key values, to above-mentioned MAC cipher key values are verified that if the verification passes, then transmission is verified instruction message to above-mentioned SE by above-mentioned SE publisher Using side;If checking is by the way that above-mentioned SE publisher sends authentication failed message and gives the SE application sides, then the symmetric key Failed regeneration, SE application sides abandon the data after above-mentioned encryption and above-mentioned MAC cipher key values.
Step S35:Above-mentioned SE application sides receive it is above-mentioned be verified instruction message after, using the private key of itself to above-mentioned Data after encryption are decrypted, and obtain above-mentioned symmetric key, and above-mentioned symmetric key is stored, and encipheror terminates.
A kind of process chart such as Fig. 4 for SE application sides generation symmetric key that the embodiment of the present invention one provides is above-mentioned, tool Body comprises the following steps:
Step S41:Above-mentioned SE application sides send to above-mentioned SE obtain public key request first, ask the SE by the public key of itself The SE application sides are sent to, so that symmetric key is encrypted for above-mentioned SE application sides.
Step S42:After above-mentioned SE receives the above-mentioned acquisition public key request that above-mentioned SE application sides are sent, i.e., by the public affairs of itself Key is sent to above-mentioned SE application sides.
Step S43:After above-mentioned SE application sides receive above-mentioned SE public key, symmetric key is generated, and use the public affairs of the SE The symmetric key is encrypted key, with the symmetric key after being encrypted.
Step S44:The above-mentioned above-mentioned SE publisher of SE application directions sends the symmetric key after above-mentioned encryption, above-mentioned SE distribution After side receives the symmetric key after encryption, it is close that MAC is calculated to the symmetric key after above-mentioned encryption using above-mentioned SE MAC keys Key numerical value, and above-mentioned MAC cipher key values are sent to above-mentioned SE application sides.
Step S45:Above-mentioned SE application sides use the symmetric key after above-mentioned encryption and above-mentioned MAC cipher key values generation key Request is imported, and the importing request of above-mentioned key is sent to above-mentioned SE, so as to by the importing of the symmetric-key security of above-mentioned generation Into above-mentioned SE.
Step S46:After above-mentioned SE receives above-mentioned key importing request, above-mentioned MAC cipher key values are verified, so as to The authenticity of above-mentioned data and identity is identified, if the verification passes, then after the SE decrypts above-mentioned encryption using the private key of itself Symmetric key, above-mentioned symmetric key is obtained, and preserved;Otherwise it will abandon decrypting the symmetric key after above-mentioned encryption, i.e., it is symmetrical close Key imports failure.
The embodiment of the present invention supports asymmetric-key encryption and symmetric key encryption and decryption.Wherein asymmetric encryption is supported a variety of Algorithm includes:RSA, ECC, DSA, SM2;The algorithm that symmetric cryptography is supported includes:DES, 3DES, AES, SM4.
Those skilled in the art will be understood that above-mentioned the lifted method that symmetric key is encrypted using SE public keys only For the technical scheme of the embodiment of the present invention, rather than the restriction made to the embodiment of the present invention is better described.It is any to above-mentioned right The method for claiming key to be encrypted such as is applicable to this patent, is all contained in the range of the embodiment of the present invention.
Embodiment two
This embodiment offers a kind of key management apparatus based on SE as shown in figure 5, can specifically include following mould Block:SE, SE publisher and SE application sides.Above-mentioned SE publisher, for being initialized to above-mentioned SE, generate above-mentioned SE mark Know and MAC keys;SE utilizes above-mentioned MAC using square or above-mentioned SE for generating symmetric key, and by above-mentioned SE publisher Key is verified to above-mentioned symmetric key;Further, above-mentioned SE and above-mentioned SE application sides, are additionally operable in above-mentioned symmetric key After being verified, above-mentioned symmetric key is stored.
Above-mentioned SE publisher, for sending mark and the public key of above-mentioned SE publisher to above-mentioned SE;Above-mentioned SE, for by State mark to be written in above-mentioned SE, as above-mentioned SE mark, and generate MAC keys, above-mentioned MAC keys are sent out using above-mentioned SE The public key of row side is encrypted, and the data after encryption are sent into above-mentioned SE publisher.
Above-mentioned SE publisher, it is sent to for producing generation unsymmetrical key request, and by the request of above-mentioned unsymmetrical key Above-mentioned SE;Above-mentioned SE, for asking generation unsymmetrical key pair according to above-mentioned generation unsymmetrical key, it will include above-mentioned asymmetric The certificate request request of key pair is sent to above-mentioned SE publisher.Above-mentioned SE, it is additionally operable to one in above-mentioned unsymmetrical key Public key of the key as oneself.
Above-mentioned SE application sides, the generation symmetric key of public key from carrying oneself to above-mentioned SE and key parameter for sending please Ask;Above-mentioned SE, the key parameter for being carried in being asked according to above-mentioned generation symmetric key generate symmetric key, use above-mentioned SE Above-mentioned symmetric key is encrypted using the public key of side, and the data after encryption are gone out accordingly using above-mentioned MAC cipher key calculations MAC cipher key values, the data after above-mentioned encryption and above-mentioned MAC cipher key values are sent to above-mentioned SE application sides.
Above-mentioned SE application sides, it is above-mentioned for the data after the above-mentioned encryption received and above-mentioned MAC cipher key values to be sent to SE publisher;Above-mentioned SE publisher, for being verified to above-mentioned MAC cipher key values, above-mentioned SE publisher is to above-mentioned MAC keys After numerical value is verified, transmission is verified instruction message to above-mentioned SE application sides;Above-mentioned SE application sides, for receiving It is above-mentioned be verified instruction message after, the data after above-mentioned encryption are decrypted using the private key of itself, obtained above-mentioned symmetrical Key, and store.
Above-mentioned SE application sides, public key request is obtained for being sent to above-mentioned SE;Above-mentioned SE, for according to above-mentioned acquisition public key Request sends the public key of itself to above-mentioned SE application sides, above-mentioned SE application sides, for generating symmetric key, and uses above-mentioned SE's Above-mentioned symmetric key is encrypted public key, the symmetric key after being encrypted, and the symmetric key after encrypting is sent to Above-mentioned SE publisher.
Above-mentioned SE publisher, it is close that MAC is calculated to the symmetric key after above-mentioned encryption for the MAC keys using above-mentioned SE Key numerical value, and above-mentioned MAC cipher key values are sent to above-mentioned SE application sides;Above-mentioned SE application sides, for using after above-mentioned encryption Symmetric key and above-mentioned MAC cipher key values generation key import request, and by above-mentioned key importing request be sent to above-mentioned SE; Above-mentioned SE, after receiving above-mentioned key importing request, above-mentioned MAC cipher key values are verified, after being verified, made The symmetric key after above-mentioned encryption is decrypted with the private key of itself, obtains above-mentioned symmetric key, and preserve.
Implemented with generation of the device of the embodiment of the present invention to symmetric key, the detailed process of encrypting and decrypting and preceding method Example is similar, and here is omitted.
To sum up above-mentioned, the embodiment of the present invention is initialized by SE publisher to SE, and by SE application sides or is somebody's turn to do SE generates symmetric key, then is verified by above-mentioned SE publisher's symmetric key, and last above-mentioned SE and above-mentioned SE application sides will Above-mentioned symmetric key is stored.Prevent from, when operating using software, being traced during data transfer so as to reach, it is close Key is decrypted;And reduce private key leakage and cause the stolen risk of data.
The present invention is operated by SE safety means, and the risk class that key is decrypted minimizes, it is ensured that key The safety of data.In addition, the present invention reduces risk of the human factor for Information Security, while private key using hardware SE modes It is stored in the leakage that private key is avoided in hardware.Therefore, the guarantor of the security and authenticity to key data is realized well Shield, protect the interests of user.
One of ordinary skill in the art will appreciate that:Accompanying drawing is the schematic diagram of one embodiment, module in accompanying drawing or Flow is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can Realized by the mode of software plus required general hardware platform.Based on such understanding, technical scheme essence On the part that is contributed in other words to prior art can be embodied in the form of software product, the computer software product It can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are causing a computer equipment (can be personal computer, server, either network equipment etc.) performs some of each embodiment of the present invention or embodiment The above-mentioned method in part.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for device or For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method The part explanation of embodiment.Apparatus and system embodiment described above is only schematical, wherein above-mentioned conduct The unit that separating component illustrates can be or may not be it is physically separate, can be as the part that unit is shown or Person may not be physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can root Factually border needs to select some or all of module therein realize the purpose of this embodiment scheme.Ordinary skill Personnel are without creative efforts, you can to understand and implement.
It is above-mentioned above, it is only the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, Any one skilled in the art the invention discloses technical scope in, the change or replacement that can readily occur in, It should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims It is defined.

Claims (10)

  1. A kind of 1. key management method based on SE, it is characterised in that including:
    SE publisher initializes to the SE, generates the mark and MAC keys of the SE, including:The SE issues direction The SE sends mark and the public key of the SE publisher;
    The mark is written in the SE by the SE, as the mark of the SE, and generates MAC keys, and the MAC is close Key is encrypted using the public key of the SE publisher, and the data after encryption are sent into the SE publisher;
    The SE publisher produces generation unsymmetrical key request, and the generation unsymmetrical key request is sent to described SE;
    The SE will include the public affairs of the unsymmetrical key according to the generation unsymmetrical key request generation unsymmetrical key pair The request of key certificate request is sent to the SE publisher;
    SE is using square or described SE generations symmetric key, by the SE publisher using the MAC keys to described symmetrical Key is verified;
    After the symmetric key is verified, the SE and the SE application sides are stored the symmetric key.
  2. 2. the key management method according to claim 1 based on SE, it is characterised in that the SE will be described asymmetric close A key in key is as the public key of oneself.
  3. 3. the key management method according to claim 1 based on SE, it is characterised in that the SE gives birth to using side or SE Into symmetric key, the symmetric key is verified using the MAC keys by the SE publisher, including:
    SE described in the SE application directions sends the generation symmetric key request of the public key for carrying oneself and key parameter;
    The SE generates symmetric key according to the key parameter carried in the generation symmetric key request, is applied using the SE The symmetric key is encrypted the public key of side, and the data after encryption are gone out into corresponding MAC using the MAC cipher key calculations Cipher key values, the data after the encryption and the MAC cipher key values are sent to the SE application sides;
    Data after the encryption received and the MAC cipher key values are sent to the SE publisher by the SE application sides, The SE publisher verifies to the MAC cipher key values;
    After the SE publisher is verified to the MAC cipher key values, transmission is verified instruction message to the SE Using side;
    The SE application sides receive it is described after being verified instruction message, using the private key of itself to the data after the encryption It is decrypted, obtains the symmetric key, and store.
  4. 4. the key management method according to claim 2 based on SE, it is characterised in that the SE gives birth to using side or SE Into symmetric key, the symmetric key is verified using the MAC keys by the SE publisher, including:
    SE described in the SE application directions, which is sent, obtains public key request;
    The SE sends the public key of itself to the SE application sides according to the acquisition public key request;
    The SE application sides generate symmetric key, and the symmetric key is encrypted using the public key of the SE, are added Symmetric key after close;
    SE publisher described in the SE application directions sends the symmetric key after the encryption, and the SE publisher utilizes the SE MAC keys MAC cipher key values are calculated to the symmetric key after the encryption, and the MAC cipher key values are sent to institute State SE application sides;
    The SE application sides import request using the symmetric key after the encryption and MAC cipher key values generation key, and Key importing request is sent to the SE;
    After the SE receives the key importing request, the MAC cipher key values are verified, after being verified, made The symmetric key after the encryption is decrypted with the private key of itself, obtains the symmetric key, and preserve.
  5. 5. the key management method based on SE according to any one of Claims 1-4, it is characterised in that the SE includes: Global Subscriber identification card, mobile terminal, safe digital card.
  6. A kind of 6. key management apparatus based on SE, it is characterised in that including:SE, SE publisher and SE application sides,
    Described SE publisher, for being initialized to the SE, generate the mark and MAC keys of the SE;
    The SE publisher, for sending mark and the public key of the SE publisher to the SE;
    The SE, for the mark to be written in the SE, as the mark of the SE, and MAC keys are generated, by described in MAC keys are encrypted using the public key of the SE publisher, and the data after encryption are sent into the SE publisher;
    The SE publisher, it is sent to for producing generation unsymmetrical key request, and by the generation unsymmetrical key request The SE;
    The SE, for that according to the generation unsymmetrical key request generation unsymmetrical key pair, will include described asymmetric close The certificate request request of key pair is sent to the SE publisher;
    SE is using square or described SE, for generating symmetric key, by the SE publisher using the MAC keys to described Symmetric key is verified;
    The SE and the SE application sides, are additionally operable to after the symmetric key is verified, the symmetric key are deposited Storage.
  7. 7. the key management apparatus according to claim 6 based on SE, it is characterised in that:The SE, being additionally operable to will be described A key in unsymmetrical key is as the public key of oneself.
  8. 8. the key management apparatus according to claim 6 based on SE, it is characterised in that
    The SE application sides, for sending the generation symmetric key request of the public key and key parameter that carry oneself to the SE;
    The SE, for generating symmetric key according to the key parameter carried in the generation symmetric key request, using described The symmetric key is encrypted the public key of SE application sides, and the data after encryption are gone out into phase using the MAC cipher key calculations The MAC cipher key values answered, the data after the encryption and the MAC cipher key values are sent to the SE application sides;
    The SE application sides, sent out for the data after the encryption received and the MAC cipher key values to be sent into the SE Row side;
    The SE publisher, for being verified to the MAC cipher key values, the SE publisher is to the MAC cipher key values After being verified, transmission is verified instruction message to the SE application sides;
    The SE application sides, for receive it is described be verified instruction message after, using the private key of itself to the encryption after Data be decrypted, obtain the symmetric key, and store.
  9. 9. the key management apparatus according to claim 6 based on SE, it is characterised in that
    The SE application sides, public key request is obtained for being sent to the SE;
    The SE, for sending the public key of itself to the SE application sides according to the acquisition public key request,
    The SE application sides, the symmetric key is encrypted for generating symmetric key, and using the public key of the SE, obtained Symmetric key after to encryption, and the symmetric key after encrypting is sent to the SE publisher;
    The SE publisher, for calculating MAC cipher key numbers to the symmetric key after the encryption using the MAC keys of the SE Value, and the MAC cipher key values are sent to the SE application sides;
    The SE application sides, please for being imported using the symmetric key after the encryption and MAC cipher key values generation key Ask, and key importing request is sent to the SE;
    The SE, after receiving the key importing request, the MAC cipher key values are verified, are being verified Afterwards, the symmetric key after the encryption is decrypted using the private key of itself, obtains the symmetric key, and preserve.
  10. 10. the key management apparatus based on SE according to any one of claim 6 to 9, it is characterised in that the SE bags Include:Global Subscriber identification card, mobile terminal, safe digital card.
CN201410028406.0A 2014-01-21 2014-01-21 Key management method and device based on SE Expired - Fee Related CN104253692B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410028406.0A CN104253692B (en) 2014-01-21 2014-01-21 Key management method and device based on SE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410028406.0A CN104253692B (en) 2014-01-21 2014-01-21 Key management method and device based on SE

Publications (2)

Publication Number Publication Date
CN104253692A CN104253692A (en) 2014-12-31
CN104253692B true CN104253692B (en) 2018-03-23

Family

ID=52188260

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410028406.0A Expired - Fee Related CN104253692B (en) 2014-01-21 2014-01-21 Key management method and device based on SE

Country Status (1)

Country Link
CN (1) CN104253692B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107846274B (en) * 2016-09-19 2021-09-14 中国移动通信有限公司研究院 Control method, terminal, server and processor
US11444759B2 (en) * 2019-05-29 2022-09-13 Stmicroelectronics, Inc. Method and apparatus for cryptographically aligning and binding a secure element with a host device
WO2021196047A1 (en) * 2020-03-31 2021-10-07 华为技术有限公司 Key processing method and apparatus
CN113821835B (en) * 2021-11-24 2022-02-08 飞腾信息技术有限公司 Key management method, key management device and computing equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1833009A1 (en) * 2006-03-09 2007-09-12 First Data Corporation Secure transaction computer network
CN101729244A (en) * 2008-10-24 2010-06-09 中兴通讯股份有限公司 Method and system for distributing key
CN102056077A (en) * 2009-10-29 2011-05-11 中国移动通信集团公司 Method and device for applying smart card by key
CN102609842A (en) * 2012-01-19 2012-07-25 上海海基业高科技有限公司 Payment cipher device based on hardware signature equipment, and application method of payment cipher device
CN103237005A (en) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 Method and system for key management

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1833009A1 (en) * 2006-03-09 2007-09-12 First Data Corporation Secure transaction computer network
CN101729244A (en) * 2008-10-24 2010-06-09 中兴通讯股份有限公司 Method and system for distributing key
CN102056077A (en) * 2009-10-29 2011-05-11 中国移动通信集团公司 Method and device for applying smart card by key
CN102609842A (en) * 2012-01-19 2012-07-25 上海海基业高科技有限公司 Payment cipher device based on hardware signature equipment, and application method of payment cipher device
CN103237005A (en) * 2013-03-15 2013-08-07 福建联迪商用设备有限公司 Method and system for key management

Also Published As

Publication number Publication date
CN104253692A (en) 2014-12-31

Similar Documents

Publication Publication Date Title
CN105553951B (en) Data transmission method and device
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN108199835B (en) Multi-party combined private key decryption method
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN101515319B (en) Cipher key processing method, cipher key cryptography service system and cipher key consultation method
CN108347419A (en) Data transmission method and device
CN107483212A (en) A kind of method of both sides' cooperation generation digital signature
CN109194523A (en) The multi-party diagnostic model fusion method and system, cloud server of secret protection
CN107800539A (en) Authentication method, authentication device and Verification System
US11870891B2 (en) Certificateless public key encryption using pairings
CN107360002B (en) Application method of digital certificate
CN108471352A (en) Processing method, system, computer equipment based on distributed private key and storage medium
CN110535626B (en) Secret communication method and system for identity-based quantum communication service station
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN104901803A (en) Data interaction safety protection method based on CPK identity authentication technology
CN109495497A (en) Based on the management of credit worthiness dynamic and domestic cryptographic algorithm privacy information encrypted transmission method
CN101808089A (en) Secret data transmission protection method based on isomorphism of asymmetrical encryption algorithm
CN103414559A (en) Identity authentication method based on IBE-like system in cloud computing environment
CN111769938A (en) Key management system and data verification system of block chain sensor
CN104253692B (en) Key management method and device based on SE
CN106549858A (en) A kind of instant messaging encryption method based on id password
CN109495244A (en) Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys
CN104734847A (en) Shared symmetric key data encrypting and decrypting method for public key cryptography application
CN112765667B (en) Privacy protection method, device and system based on block chain
CN106453253A (en) Efficient identity-based concealed signcryption method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180323

Termination date: 20210121

CF01 Termination of patent right due to non-payment of annual fee