CN104253692B - Key management method and device based on SE - Google Patents
Key management method and device based on SE Download PDFInfo
- Publication number
- CN104253692B CN104253692B CN201410028406.0A CN201410028406A CN104253692B CN 104253692 B CN104253692 B CN 104253692B CN 201410028406 A CN201410028406 A CN 201410028406A CN 104253692 B CN104253692 B CN 104253692B
- Authority
- CN
- China
- Prior art keywords
- key
- publisher
- mac
- symmetric
- mentioned
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The embodiments of the invention provide a kind of key management method and device based on SE, including:SE publisher initializes to the SE, generates the mark and MAC keys of the SE;SE is verified by the SE publisher using square or described SE generations symmetric key using the MAC keys to the symmetric key;After the symmetric key is verified, the SE and the SE application sides are stored the symmetric key.The shortcomings that easily tracked so as to be forged and distort in the data transmission to realize, and private key is easily revealed, so as to reduce the risk of encryption data leakage.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of key management method and device based on SE.
Background technology
With the development of computer, the safety problem in network is also on the rise.In transmission control protocol, the number of transmission
According to all to be transmitted in plain text, so inherently safe defect be present, the important means for solving this problem is exactly that data add
Close, in modern network communication, the awareness of safety of people is more and more stronger, and the application of cryptography is also more and more extensive.
Encryption technology is the main security secrecy provision that ecommerce is taken at present, is the most frequently used safe and secret means,
Using technological means important data be changed into mess code (encryption) send, after arriving at again with identical or different means also
Former (decryption).Encryption technology includes two elements:Algorithm and key.Algorithm is by common text (or the letter being appreciated that
Breath) with a combination for altering digital (key), the step of producing impenetrable ciphertext, key be for data are carried out coding with
A kind of algorithm of decoding.In safe and secret, the letter of network can be ensured by appropriate Key Encryption Technology and administrative mechanism
Cease communication security.
The cipher system of Key Encryption Technology is divided into two kinds of standard-key cryptography and Asymmetric encryption.Correspondingly, it is right
The technology of data encryption is divided into two classes, i.e. symmetric cryptography (private key cryptographic) and asymmetric encryption (public key encryption).It is right
Claim encryption with DES (Data Encryption Standard, data encryption standards) algorithm for Typical Representative;Asymmetric encryption leads to
Often with RSA (Rivest Shamir Ad1eman, public key encryption algorithm) algorithm for representative.The encryption key of symmetric cryptography is conciliate
Key is identical;And the encryption key of asymmetric encryption is different with decruption key, encryption key can disclose and decruption key needs
Maintain secrecy.
It is above-mentioned it is of the prior art data are encrypted method the shortcomings that be:Data are encrypted using software and deposited
It is easily tracked so as to be forged and distort in the data transmission in certain security risk, and private key is easily revealed.
The content of the invention
To solve the above problems, the embodiment provides a kind of key management method and device based on SE, with
Realization passes through hardware encryption data, reduces the risk of password leakage.
A kind of key management method based on SE, it is characterised in that including:
SE publisher initializes to the SE, generates the mark and MAC keys of the SE;
SE is using square or described SE generations symmetric key, by the SE publisher using the MAC keys to described
Symmetric key is verified;
After the symmetric key is verified, the SE and the SE application sides are stored the symmetric key.
The SE publisher initializes to the SE, generates the mark and MAC keys of the SE, including:
SE described in the SE distribution direction sends mark and the public key of the SE publisher;
The mark is written in the SE by the SE, as the mark of the SE, and generates MAC keys, by described in
MAC keys are encrypted using the public key of the SE publisher, and the data after encryption are sent into the SE publisher;
The SE publisher produces generation unsymmetrical key request, and the generation unsymmetrical key request is sent into institute
State SE;
The SE will include the unsymmetrical key according to the generation unsymmetrical key request generation unsymmetrical key pair
Public key certificate application request be sent to the SE publisher.
The SE is using a key in the unsymmetrical key as the public key of oneself.
The SE is using side or SE generation symmetric keys, by the SE publisher using the MAC keys to described
Symmetric key verified, including:
SE described in the SE application directions sends the generation symmetric key request of the public key for carrying oneself and key parameter;
The SE generates symmetric key according to the key parameter carried in the generation symmetric key request, uses the SE
The symmetric key is encrypted using the public key of side, and the data after encryption are gone out accordingly using the MAC cipher key calculations
MAC cipher key values, the data after the encryption and the MAC cipher key values are sent to the SE application sides;
Data after the encryption received and the MAC cipher key values are sent to the SE and issued by the SE application sides
Side, the SE publisher verify to the MAC cipher key values;
After the SE publisher is verified to the MAC cipher key values, transmission is verified instruction message to institute
State SE application sides;
The SE application sides receive it is described after being verified instruction message, using the private key of itself to the encryption after
Data are decrypted, and obtain the symmetric key, and store.
The SE is using side or SE generation symmetric keys, by the SE publisher using the MAC keys to described
Symmetric key verified, including:
SE described in the SE application directions, which is sent, obtains public key request;
The SE sends the public key of itself to the SE application sides according to the acquisition public key request;
The SE application sides generate symmetric key, and the symmetric key is encrypted using the public key of the SE, obtain
Symmetric key after to encryption;
SE publisher described in the SE application directions sends the symmetric key after the encryption, and the SE publisher utilizes institute
The MAC keys for stating SE calculate MAC cipher key values to the symmetric key after the encryption, and the MAC cipher key values are sent
To the SE application sides;
The SE application sides are imported using the symmetric key after the encryption and MAC cipher key values generation key please
Ask, and key importing request is sent to the SE;
After the SE receives the key importing request, the MAC cipher key values are verified, are being verified
Afterwards, the symmetric key after the encryption is decrypted using the private key of itself, obtains the symmetric key, and preserve.
The SE includes:Global Subscriber identification card, mobile terminal, safe digital card.
A kind of key management apparatus based on SE, it is characterised in that including:SE, SE publisher and SE application sides,
Described SE publisher, for being initialized to the SE, generate the mark and MAC keys of the SE;
SE, for generating symmetric key, the MAC keys pair is utilized by the SE publisher using square or described SE
The symmetric key is verified;
The SE and the SE application sides, are additionally operable to after the symmetric key is verified, the symmetric key are entered
Row storage.
The SE publisher, for sending mark and the public key of the SE publisher to the SE;
The SE, for the mark to be written in the SE, as the mark of the SE, and MAC keys are generated, will
The MAC keys are encrypted using the public key of the SE publisher, and the data after encryption are sent into the SE publisher;
The SE publisher, hair is asked for producing generation unsymmetrical key request, and by the generation unsymmetrical key
Give the SE;
The SE, for according to the generation unsymmetrical key request generation unsymmetrical key pair, it to be described non-right to include
The certificate request request of key pair is claimed to be sent to the SE publisher.
The SE, it is additionally operable to using a key in the unsymmetrical key as the public key of oneself.
The SE application sides, the generation symmetric key of public key from carrying oneself to the SE and key parameter for sending please
Ask;
The SE, for generating symmetric key according to the key parameter carried in the generation symmetric key request, use
The symmetric key is encrypted the public key of the SE application sides, and the data after encryption are used into the MAC cipher key calculations
Go out corresponding MAC cipher key values, the data after the encryption and the MAC cipher key values are sent to the SE application sides;
The SE application sides, it is described for the data after the encryption received and the MAC cipher key values to be sent to
SE publisher;
The SE publisher, for being verified to the MAC cipher key values, the SE publisher is to the MAC keys
After numerical value is verified, transmission is verified instruction message to the SE application sides;
The SE application sides, for receive it is described be verified instruction message after, using the private key of itself to described plus
Data after close are decrypted, and obtain the symmetric key, and store.
The SE application sides, public key request is obtained for being sent to the SE;
The SE, for sending the public key of itself to the SE application sides according to the acquisition public key request,
The SE application sides, the symmetric key is added for generating symmetric key, and using the public key of the SE
It is close, the symmetric key after being encrypted, and the symmetric key after encrypting is sent to the SE publisher;
The SE publisher, it is close that MAC is calculated to the symmetric key after the encryption for the MAC keys using the SE
Key numerical value, and the MAC cipher key values are sent to the SE application sides;
The SE application sides, for being led using the symmetric key after the encryption and MAC cipher key values generation key
Enter request, and key importing request is sent to the SE;
The SE, after receiving the key importing request, the MAC cipher key values are verified, verified
By rear, the symmetric key after the encryption is decrypted using the private key of itself, obtains the symmetric key, and preserve.
The SE includes:Global Subscriber identification card, mobile terminal, safe digital card.
The embodiment of the present invention provides one kind and is based on SE it can be seen from the technical scheme provided by embodiments of the invention described above
Key management method, the SE is initialized by SE publisher, SE using square or SE generation symmetric keys,
Verified by SE publisher's symmetric key, the SE and the SE application sides are stored the symmetric key.
Prevent from, when operating using software, being traced during data transfer, key is decrypted so as to reach;And reduce private key and let out
Reveal and cause the stolen risk of data.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this
For the those of ordinary skill of field, without having to pay creative labor, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is a kind of process chart for key management method based on SE that the embodiment of the present invention one provides;
Fig. 2 is a kind of initialization flowchart for SE that the embodiment of the present invention one provides;
Fig. 3 is that a kind of SE that the embodiment of the present invention one provides generates symmetric key process chart;
Fig. 4 is the process chart that a kind of SE application sides that the embodiment of the present invention one provides generate symmetric key;
Fig. 5 is a kind of schematic diagram for key management apparatus based on SE that the embodiment of the present invention two provides.
Embodiment
For ease of the understanding to the embodiment of the present invention, solved below in conjunction with accompanying drawing is further by taking specific embodiment as an example
Explanation is released, and each embodiment does not form the restriction to the embodiment of the present invention.
Embodiment one
The embodiment of the present invention one provides a kind of key management method based on SE, including:SE publisher is carried out just to SE
Beginningization, above-mentioned SE utilize MAC keys to above-mentioned right using square or above-mentioned SE generations symmetric key, and by above-mentioned SE publisher
Key is claimed to be verified that after being verified, above-mentioned SE and above-mentioned SE application sides are stored above-mentioned symmetric key.Pass through profit
Above-mentioned symmetric key is encrypted with the public key of the public key in above-mentioned SE or above-mentioned SE application sides, so as to strengthen the peace of data
Quan Xing.Above-mentioned MAC keys include MAC keys.
Above-mentioned SE is that safety element there may be in multiple hardwares, is included in SIM card, SD card or mobile terminal, the SE
Possess operational capability, it can complete unsymmetrical key encryption and decryption and symmetric key encryption process, can to cryptographic key, plus
Key, operator key, communication key provide safer protection.
The principle and feature of the present invention are described below in conjunction with accompanying drawing, the given examples are served only to explain the present invention, and
It is non-to be used to limit the scope of the present invention.
This embodiment offers a kind of process chart of the key management method based on SE as shown in figure 1, including as follows
Processing step:
Step S110:SE publisher initializes to above-mentioned SE, generates above-mentioned SE mark and MAC keys.Needing
Using SE protection key it is safe when, the SE is initialized first, initialization complete could carry out after the step of.
Step S120:SE is close using above-mentioned MAC by above-mentioned SE publisher using square or above-mentioned SE generations symmetric key
Key is verified to above-mentioned symmetric key.When above-mentioned SE application sides need to use SE to ensure password or data safety, it is necessary to
First symmetric key is stored on above-mentioned SE.Above-mentioned symmetric key includes two kinds of generating modes, and one kind is generated by the SE, is passed to
Above-mentioned SE application sides;Another way is generated by above-mentioned SE application sides, then symmetric key is imported into the SE.
Step S130:After above-mentioned symmetric key is verified, above-mentioned SE and above-mentioned SE application sides are by above-mentioned symmetric key
Stored.
A kind of initialization flowchart for SE that the embodiment of the present invention one provides to above-mentioned steps S110 as shown in Fig. 2 make
Further explanation, comprise the following steps:
Step S21:Above-mentioned SE publisher sends the public key and correlation of above-mentioned mark and above-mentioned SE publisher to above-mentioned SE
Parameter, above-mentioned parameter include, the mark of the SE.Above-mentioned SE must be carried out initial by above-mentioned SE publisher to the SE before the use
Change, content includes:SE mark is set, generates MAC keys, generates unsymmetrical key pair.It is in order to above-mentioned to set SE to identify
SE publisher identifies each SE, and generation MAC keys are to information authentication be carried out in data transmission procedure, so as to ensure
Data are not tampered with and forged in transmitting procedure.
Step S22:Above-mentioned mark is written in itself by above-mentioned SE, as above-mentioned SE mark, and generates MAC keys,
The MAC keys of generation are encrypted using the public key of above-mentioned SE publisher, and the data after encryption are sent to above-mentioned SE and sent out
Row side.After SE write-in marks, that is, there is unique mark, so that each SE is identified above-mentioned SE publisher, and pass through
The authenticity of the above-mentioned SE identity of MAC key authentications, and after above-mentioned MAC keys are encrypted using the public key of above-mentioned SE publisher
The SE publisher is sent to, to ensure safety of the data in transmission process.
Step S23:Above-mentioned SE publisher produces generation unsymmetrical key request, and above-mentioned generation unsymmetrical key is asked
It is sent to above-mentioned SE.Above-mentioned SE publisher needs to ask the SE to generate unsymmetrical key pair, and by above-mentioned unsymmetrical key
One key is as the public key of oneself, so as to which symmetric key is encrypted.The generation unsymmetrical key that the SE publisher sends
Request includes:SE marks, force more new logo, algorithm mark, key length, PIN code, MAC cipher key index.
Step S24:The generation unsymmetrical key request generation unsymmetrical key that above-mentioned SE is sent according to above-mentioned SE publisher
It is right, and the certificate request request comprising above-mentioned unsymmetrical key pair is sent to above-mentioned SE publisher.
The embodiment of the present invention one provide a kind of SE generation symmetric key process chart as shown in figure 3, specifically include as
Lower step:
Step S31:Above-mentioned SE application sides have a pair of unsymmetrical key, will carry the public key and key parameter of oneself first
The request of generation symmetric key be sent to above-mentioned SE, ask the SE to generate symmetric key, above-mentioned key parameter includes:The class of key
Length of type and key etc..
Step S32:The request of generation symmetric key and the key of carrying that above-mentioned SE is sent according to above-mentioned SE application sides are joined
Number generation symmetric keys, and above-mentioned symmetric key are encrypted using the public key of above-mentioned SE application sides, and by the number after encryption
Go out corresponding MAC cipher key values according to using the MAC cipher key calculations in above-mentioned SE, then by the data after above-mentioned encryption and above-mentioned MAC
Cipher key values are sent to above-mentioned SE application sides, to complete the generation of above-mentioned symmetric key and the symmetric key be encrypted,
And safety of the data in transmitting procedure is ensured by above-mentioned MAC keys.
Step S33:Data after the above-mentioned encryption received and above-mentioned MAC cipher key values are sent to by above-mentioned SE application sides
SE publisher is stated, so that above-mentioned SE publisher verifies to above-mentioned MAC cipher key values, so as to confirm to ensure that data are being transmitted across
It will not be tampered in journey.
Above-mentioned SE generation symmetric key needs to verify MAC keys by above-mentioned SE publisher, when the SE publisher need to
It is required for input SE marks to be identified when preserving data on the SE, and in order to prevent data to be forged and usurp in transmitting procedure
Change, MAC cipher key values need to be calculated.
Step S34:After above-mentioned SE publisher receives the data after above-mentioned encryption and above-mentioned MAC cipher key values, to above-mentioned
MAC cipher key values are verified that if the verification passes, then transmission is verified instruction message to above-mentioned SE by above-mentioned SE publisher
Using side;If checking is by the way that above-mentioned SE publisher sends authentication failed message and gives the SE application sides, then the symmetric key
Failed regeneration, SE application sides abandon the data after above-mentioned encryption and above-mentioned MAC cipher key values.
Step S35:Above-mentioned SE application sides receive it is above-mentioned be verified instruction message after, using the private key of itself to above-mentioned
Data after encryption are decrypted, and obtain above-mentioned symmetric key, and above-mentioned symmetric key is stored, and encipheror terminates.
A kind of process chart such as Fig. 4 for SE application sides generation symmetric key that the embodiment of the present invention one provides is above-mentioned, tool
Body comprises the following steps:
Step S41:Above-mentioned SE application sides send to above-mentioned SE obtain public key request first, ask the SE by the public key of itself
The SE application sides are sent to, so that symmetric key is encrypted for above-mentioned SE application sides.
Step S42:After above-mentioned SE receives the above-mentioned acquisition public key request that above-mentioned SE application sides are sent, i.e., by the public affairs of itself
Key is sent to above-mentioned SE application sides.
Step S43:After above-mentioned SE application sides receive above-mentioned SE public key, symmetric key is generated, and use the public affairs of the SE
The symmetric key is encrypted key, with the symmetric key after being encrypted.
Step S44:The above-mentioned above-mentioned SE publisher of SE application directions sends the symmetric key after above-mentioned encryption, above-mentioned SE distribution
After side receives the symmetric key after encryption, it is close that MAC is calculated to the symmetric key after above-mentioned encryption using above-mentioned SE MAC keys
Key numerical value, and above-mentioned MAC cipher key values are sent to above-mentioned SE application sides.
Step S45:Above-mentioned SE application sides use the symmetric key after above-mentioned encryption and above-mentioned MAC cipher key values generation key
Request is imported, and the importing request of above-mentioned key is sent to above-mentioned SE, so as to by the importing of the symmetric-key security of above-mentioned generation
Into above-mentioned SE.
Step S46:After above-mentioned SE receives above-mentioned key importing request, above-mentioned MAC cipher key values are verified, so as to
The authenticity of above-mentioned data and identity is identified, if the verification passes, then after the SE decrypts above-mentioned encryption using the private key of itself
Symmetric key, above-mentioned symmetric key is obtained, and preserved;Otherwise it will abandon decrypting the symmetric key after above-mentioned encryption, i.e., it is symmetrical close
Key imports failure.
The embodiment of the present invention supports asymmetric-key encryption and symmetric key encryption and decryption.Wherein asymmetric encryption is supported a variety of
Algorithm includes:RSA, ECC, DSA, SM2;The algorithm that symmetric cryptography is supported includes:DES, 3DES, AES, SM4.
Those skilled in the art will be understood that above-mentioned the lifted method that symmetric key is encrypted using SE public keys only
For the technical scheme of the embodiment of the present invention, rather than the restriction made to the embodiment of the present invention is better described.It is any to above-mentioned right
The method for claiming key to be encrypted such as is applicable to this patent, is all contained in the range of the embodiment of the present invention.
Embodiment two
This embodiment offers a kind of key management apparatus based on SE as shown in figure 5, can specifically include following mould
Block:SE, SE publisher and SE application sides.Above-mentioned SE publisher, for being initialized to above-mentioned SE, generate above-mentioned SE mark
Know and MAC keys;SE utilizes above-mentioned MAC using square or above-mentioned SE for generating symmetric key, and by above-mentioned SE publisher
Key is verified to above-mentioned symmetric key;Further, above-mentioned SE and above-mentioned SE application sides, are additionally operable in above-mentioned symmetric key
After being verified, above-mentioned symmetric key is stored.
Above-mentioned SE publisher, for sending mark and the public key of above-mentioned SE publisher to above-mentioned SE;Above-mentioned SE, for by
State mark to be written in above-mentioned SE, as above-mentioned SE mark, and generate MAC keys, above-mentioned MAC keys are sent out using above-mentioned SE
The public key of row side is encrypted, and the data after encryption are sent into above-mentioned SE publisher.
Above-mentioned SE publisher, it is sent to for producing generation unsymmetrical key request, and by the request of above-mentioned unsymmetrical key
Above-mentioned SE;Above-mentioned SE, for asking generation unsymmetrical key pair according to above-mentioned generation unsymmetrical key, it will include above-mentioned asymmetric
The certificate request request of key pair is sent to above-mentioned SE publisher.Above-mentioned SE, it is additionally operable to one in above-mentioned unsymmetrical key
Public key of the key as oneself.
Above-mentioned SE application sides, the generation symmetric key of public key from carrying oneself to above-mentioned SE and key parameter for sending please
Ask;Above-mentioned SE, the key parameter for being carried in being asked according to above-mentioned generation symmetric key generate symmetric key, use above-mentioned SE
Above-mentioned symmetric key is encrypted using the public key of side, and the data after encryption are gone out accordingly using above-mentioned MAC cipher key calculations
MAC cipher key values, the data after above-mentioned encryption and above-mentioned MAC cipher key values are sent to above-mentioned SE application sides.
Above-mentioned SE application sides, it is above-mentioned for the data after the above-mentioned encryption received and above-mentioned MAC cipher key values to be sent to
SE publisher;Above-mentioned SE publisher, for being verified to above-mentioned MAC cipher key values, above-mentioned SE publisher is to above-mentioned MAC keys
After numerical value is verified, transmission is verified instruction message to above-mentioned SE application sides;Above-mentioned SE application sides, for receiving
It is above-mentioned be verified instruction message after, the data after above-mentioned encryption are decrypted using the private key of itself, obtained above-mentioned symmetrical
Key, and store.
Above-mentioned SE application sides, public key request is obtained for being sent to above-mentioned SE;Above-mentioned SE, for according to above-mentioned acquisition public key
Request sends the public key of itself to above-mentioned SE application sides, above-mentioned SE application sides, for generating symmetric key, and uses above-mentioned SE's
Above-mentioned symmetric key is encrypted public key, the symmetric key after being encrypted, and the symmetric key after encrypting is sent to
Above-mentioned SE publisher.
Above-mentioned SE publisher, it is close that MAC is calculated to the symmetric key after above-mentioned encryption for the MAC keys using above-mentioned SE
Key numerical value, and above-mentioned MAC cipher key values are sent to above-mentioned SE application sides;Above-mentioned SE application sides, for using after above-mentioned encryption
Symmetric key and above-mentioned MAC cipher key values generation key import request, and by above-mentioned key importing request be sent to above-mentioned SE;
Above-mentioned SE, after receiving above-mentioned key importing request, above-mentioned MAC cipher key values are verified, after being verified, made
The symmetric key after above-mentioned encryption is decrypted with the private key of itself, obtains above-mentioned symmetric key, and preserve.
Implemented with generation of the device of the embodiment of the present invention to symmetric key, the detailed process of encrypting and decrypting and preceding method
Example is similar, and here is omitted.
To sum up above-mentioned, the embodiment of the present invention is initialized by SE publisher to SE, and by SE application sides or is somebody's turn to do
SE generates symmetric key, then is verified by above-mentioned SE publisher's symmetric key, and last above-mentioned SE and above-mentioned SE application sides will
Above-mentioned symmetric key is stored.Prevent from, when operating using software, being traced during data transfer so as to reach, it is close
Key is decrypted;And reduce private key leakage and cause the stolen risk of data.
The present invention is operated by SE safety means, and the risk class that key is decrypted minimizes, it is ensured that key
The safety of data.In addition, the present invention reduces risk of the human factor for Information Security, while private key using hardware SE modes
It is stored in the leakage that private key is avoided in hardware.Therefore, the guarantor of the security and authenticity to key data is realized well
Shield, protect the interests of user.
One of ordinary skill in the art will appreciate that:Accompanying drawing is the schematic diagram of one embodiment, module in accompanying drawing or
Flow is not necessarily implemented necessary to the present invention.
As seen through the above description of the embodiments, those skilled in the art can be understood that the present invention can
Realized by the mode of software plus required general hardware platform.Based on such understanding, technical scheme essence
On the part that is contributed in other words to prior art can be embodied in the form of software product, the computer software product
It can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are causing a computer equipment
(can be personal computer, server, either network equipment etc.) performs some of each embodiment of the present invention or embodiment
The above-mentioned method in part.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Especially for device or
For system embodiment, because it is substantially similar to embodiment of the method, so describing fairly simple, related part is referring to method
The part explanation of embodiment.Apparatus and system embodiment described above is only schematical, wherein above-mentioned conduct
The unit that separating component illustrates can be or may not be it is physically separate, can be as the part that unit is shown or
Person may not be physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can root
Factually border needs to select some or all of module therein realize the purpose of this embodiment scheme.Ordinary skill
Personnel are without creative efforts, you can to understand and implement.
It is above-mentioned above, it is only the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto,
Any one skilled in the art the invention discloses technical scope in, the change or replacement that can readily occur in,
It should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims
It is defined.
Claims (10)
- A kind of 1. key management method based on SE, it is characterised in that including:SE publisher initializes to the SE, generates the mark and MAC keys of the SE, including:The SE issues direction The SE sends mark and the public key of the SE publisher;The mark is written in the SE by the SE, as the mark of the SE, and generates MAC keys, and the MAC is close Key is encrypted using the public key of the SE publisher, and the data after encryption are sent into the SE publisher;The SE publisher produces generation unsymmetrical key request, and the generation unsymmetrical key request is sent to described SE;The SE will include the public affairs of the unsymmetrical key according to the generation unsymmetrical key request generation unsymmetrical key pair The request of key certificate request is sent to the SE publisher;SE is using square or described SE generations symmetric key, by the SE publisher using the MAC keys to described symmetrical Key is verified;After the symmetric key is verified, the SE and the SE application sides are stored the symmetric key.
- 2. the key management method according to claim 1 based on SE, it is characterised in that the SE will be described asymmetric close A key in key is as the public key of oneself.
- 3. the key management method according to claim 1 based on SE, it is characterised in that the SE gives birth to using side or SE Into symmetric key, the symmetric key is verified using the MAC keys by the SE publisher, including:SE described in the SE application directions sends the generation symmetric key request of the public key for carrying oneself and key parameter;The SE generates symmetric key according to the key parameter carried in the generation symmetric key request, is applied using the SE The symmetric key is encrypted the public key of side, and the data after encryption are gone out into corresponding MAC using the MAC cipher key calculations Cipher key values, the data after the encryption and the MAC cipher key values are sent to the SE application sides;Data after the encryption received and the MAC cipher key values are sent to the SE publisher by the SE application sides, The SE publisher verifies to the MAC cipher key values;After the SE publisher is verified to the MAC cipher key values, transmission is verified instruction message to the SE Using side;The SE application sides receive it is described after being verified instruction message, using the private key of itself to the data after the encryption It is decrypted, obtains the symmetric key, and store.
- 4. the key management method according to claim 2 based on SE, it is characterised in that the SE gives birth to using side or SE Into symmetric key, the symmetric key is verified using the MAC keys by the SE publisher, including:SE described in the SE application directions, which is sent, obtains public key request;The SE sends the public key of itself to the SE application sides according to the acquisition public key request;The SE application sides generate symmetric key, and the symmetric key is encrypted using the public key of the SE, are added Symmetric key after close;SE publisher described in the SE application directions sends the symmetric key after the encryption, and the SE publisher utilizes the SE MAC keys MAC cipher key values are calculated to the symmetric key after the encryption, and the MAC cipher key values are sent to institute State SE application sides;The SE application sides import request using the symmetric key after the encryption and MAC cipher key values generation key, and Key importing request is sent to the SE;After the SE receives the key importing request, the MAC cipher key values are verified, after being verified, made The symmetric key after the encryption is decrypted with the private key of itself, obtains the symmetric key, and preserve.
- 5. the key management method based on SE according to any one of Claims 1-4, it is characterised in that the SE includes: Global Subscriber identification card, mobile terminal, safe digital card.
- A kind of 6. key management apparatus based on SE, it is characterised in that including:SE, SE publisher and SE application sides,Described SE publisher, for being initialized to the SE, generate the mark and MAC keys of the SE;The SE publisher, for sending mark and the public key of the SE publisher to the SE;The SE, for the mark to be written in the SE, as the mark of the SE, and MAC keys are generated, by described in MAC keys are encrypted using the public key of the SE publisher, and the data after encryption are sent into the SE publisher;The SE publisher, it is sent to for producing generation unsymmetrical key request, and by the generation unsymmetrical key request The SE;The SE, for that according to the generation unsymmetrical key request generation unsymmetrical key pair, will include described asymmetric close The certificate request request of key pair is sent to the SE publisher;SE is using square or described SE, for generating symmetric key, by the SE publisher using the MAC keys to described Symmetric key is verified;The SE and the SE application sides, are additionally operable to after the symmetric key is verified, the symmetric key are deposited Storage.
- 7. the key management apparatus according to claim 6 based on SE, it is characterised in that:The SE, being additionally operable to will be described A key in unsymmetrical key is as the public key of oneself.
- 8. the key management apparatus according to claim 6 based on SE, it is characterised in thatThe SE application sides, for sending the generation symmetric key request of the public key and key parameter that carry oneself to the SE;The SE, for generating symmetric key according to the key parameter carried in the generation symmetric key request, using described The symmetric key is encrypted the public key of SE application sides, and the data after encryption are gone out into phase using the MAC cipher key calculations The MAC cipher key values answered, the data after the encryption and the MAC cipher key values are sent to the SE application sides;The SE application sides, sent out for the data after the encryption received and the MAC cipher key values to be sent into the SE Row side;The SE publisher, for being verified to the MAC cipher key values, the SE publisher is to the MAC cipher key values After being verified, transmission is verified instruction message to the SE application sides;The SE application sides, for receive it is described be verified instruction message after, using the private key of itself to the encryption after Data be decrypted, obtain the symmetric key, and store.
- 9. the key management apparatus according to claim 6 based on SE, it is characterised in thatThe SE application sides, public key request is obtained for being sent to the SE;The SE, for sending the public key of itself to the SE application sides according to the acquisition public key request,The SE application sides, the symmetric key is encrypted for generating symmetric key, and using the public key of the SE, obtained Symmetric key after to encryption, and the symmetric key after encrypting is sent to the SE publisher;The SE publisher, for calculating MAC cipher key numbers to the symmetric key after the encryption using the MAC keys of the SE Value, and the MAC cipher key values are sent to the SE application sides;The SE application sides, please for being imported using the symmetric key after the encryption and MAC cipher key values generation key Ask, and key importing request is sent to the SE;The SE, after receiving the key importing request, the MAC cipher key values are verified, are being verified Afterwards, the symmetric key after the encryption is decrypted using the private key of itself, obtains the symmetric key, and preserve.
- 10. the key management apparatus based on SE according to any one of claim 6 to 9, it is characterised in that the SE bags Include:Global Subscriber identification card, mobile terminal, safe digital card.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410028406.0A CN104253692B (en) | 2014-01-21 | 2014-01-21 | Key management method and device based on SE |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410028406.0A CN104253692B (en) | 2014-01-21 | 2014-01-21 | Key management method and device based on SE |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104253692A CN104253692A (en) | 2014-12-31 |
CN104253692B true CN104253692B (en) | 2018-03-23 |
Family
ID=52188260
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410028406.0A Expired - Fee Related CN104253692B (en) | 2014-01-21 | 2014-01-21 | Key management method and device based on SE |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104253692B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107846274B (en) * | 2016-09-19 | 2021-09-14 | 中国移动通信有限公司研究院 | Control method, terminal, server and processor |
US11444759B2 (en) * | 2019-05-29 | 2022-09-13 | Stmicroelectronics, Inc. | Method and apparatus for cryptographically aligning and binding a secure element with a host device |
WO2021196047A1 (en) * | 2020-03-31 | 2021-10-07 | 华为技术有限公司 | Key processing method and apparatus |
CN113821835B (en) * | 2021-11-24 | 2022-02-08 | 飞腾信息技术有限公司 | Key management method, key management device and computing equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1833009A1 (en) * | 2006-03-09 | 2007-09-12 | First Data Corporation | Secure transaction computer network |
CN101729244A (en) * | 2008-10-24 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for distributing key |
CN102056077A (en) * | 2009-10-29 | 2011-05-11 | 中国移动通信集团公司 | Method and device for applying smart card by key |
CN102609842A (en) * | 2012-01-19 | 2012-07-25 | 上海海基业高科技有限公司 | Payment cipher device based on hardware signature equipment, and application method of payment cipher device |
CN103237005A (en) * | 2013-03-15 | 2013-08-07 | 福建联迪商用设备有限公司 | Method and system for key management |
-
2014
- 2014-01-21 CN CN201410028406.0A patent/CN104253692B/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1833009A1 (en) * | 2006-03-09 | 2007-09-12 | First Data Corporation | Secure transaction computer network |
CN101729244A (en) * | 2008-10-24 | 2010-06-09 | 中兴通讯股份有限公司 | Method and system for distributing key |
CN102056077A (en) * | 2009-10-29 | 2011-05-11 | 中国移动通信集团公司 | Method and device for applying smart card by key |
CN102609842A (en) * | 2012-01-19 | 2012-07-25 | 上海海基业高科技有限公司 | Payment cipher device based on hardware signature equipment, and application method of payment cipher device |
CN103237005A (en) * | 2013-03-15 | 2013-08-07 | 福建联迪商用设备有限公司 | Method and system for key management |
Also Published As
Publication number | Publication date |
---|---|
CN104253692A (en) | 2014-12-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105553951B (en) | Data transmission method and device | |
CN109495274B (en) | Decentralized intelligent lock electronic key distribution method and system | |
CN108199835B (en) | Multi-party combined private key decryption method | |
CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
CN108347419A (en) | Data transmission method and device | |
CN107483212A (en) | A kind of method of both sides' cooperation generation digital signature | |
CN109194523A (en) | The multi-party diagnostic model fusion method and system, cloud server of secret protection | |
CN107800539A (en) | Authentication method, authentication device and Verification System | |
US11870891B2 (en) | Certificateless public key encryption using pairings | |
CN107360002B (en) | Application method of digital certificate | |
CN108471352A (en) | Processing method, system, computer equipment based on distributed private key and storage medium | |
CN110535626B (en) | Secret communication method and system for identity-based quantum communication service station | |
CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
CN104901803A (en) | Data interaction safety protection method based on CPK identity authentication technology | |
CN109495497A (en) | Based on the management of credit worthiness dynamic and domestic cryptographic algorithm privacy information encrypted transmission method | |
CN101808089A (en) | Secret data transmission protection method based on isomorphism of asymmetrical encryption algorithm | |
CN103414559A (en) | Identity authentication method based on IBE-like system in cloud computing environment | |
CN111769938A (en) | Key management system and data verification system of block chain sensor | |
CN104253692B (en) | Key management method and device based on SE | |
CN106549858A (en) | A kind of instant messaging encryption method based on id password | |
CN109495244A (en) | Anti- quantum calculation cryptographic key negotiation method based on pool of symmetric keys | |
CN104734847A (en) | Shared symmetric key data encrypting and decrypting method for public key cryptography application | |
CN112765667B (en) | Privacy protection method, device and system based on block chain | |
CN106453253A (en) | Efficient identity-based concealed signcryption method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180323 Termination date: 20210121 |
|
CF01 | Termination of patent right due to non-payment of annual fee |