CN105743918A - Information encrypted transmission method, device and system - Google Patents

Information encrypted transmission method, device and system Download PDF

Info

Publication number
CN105743918A
CN105743918A CN201610206203.5A CN201610206203A CN105743918A CN 105743918 A CN105743918 A CN 105743918A CN 201610206203 A CN201610206203 A CN 201610206203A CN 105743918 A CN105743918 A CN 105743918A
Authority
CN
China
Prior art keywords
agent end
trusted agent
management platform
target
mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610206203.5A
Other languages
Chinese (zh)
Inventor
刘海伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Electronic Information Industry Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN201610206203.5A priority Critical patent/CN105743918A/en
Publication of CN105743918A publication Critical patent/CN105743918A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/562Brokering proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an information encrypted transmission method, device and system. The method comprises that a credible agent end firstly determines own public key, private key and related basic information and sends the public key and the basic information to a management platform for register; when the credible agent end ensures that the own system is correct, the credible agent end receives a ciphertext encrypted by the public key, wherein the ciphertext is sent by the management platform and carries a service instruction; the ciphertext is decrypted by using the private key, thus obtaining corresponding key information; and an internal TPM security chip is driven to execute the service instruction by the key information. On the premise of ensuring the system security of the management platform, through adoption of system self-checking and a key information encrypted transmission mode of the credible agent end, the key information can be reliably transmitted between the credible agent end and the management platform; and therefore, according to the scheme, the information encrypted transmission security can be improved.

Description

A kind of method of information encryption transmission, Apparatus and system
Technical field
The present invention relates to field of computer technology, particularly to a kind of method of information encryption transmission, Apparatus and system.
Background technology
In actual application environment, the business for ease of trusted agent end performs, and management platform needs that business performs necessary key message and is issued to this trusted agent end, so that it has the right to perform corresponding service.For preventing key message from maliciously being intercepted and captured in message transmitting procedure, it is necessary to it is encrypted.
At present, management platform generally holds a pair PKI and private key, it is possible to use this encrypted private key key message waiting for transmission, and the ciphertext after encryption is sent to corresponding trusted agent end.Trusted agent end this ciphertext of public key decryptions by being issued in advance by management platform, thus getting key message.
But, when the PKI that management platform is issued in advance is got by third party's malice, the safety of information transmission can be impacted.As can be seen here, the safety of existing information encrypting transmission method is not high.
Summary of the invention
The invention provides a kind of method of information encryption transmission, Apparatus and system, it is possible to increase the safety of information encryption transmission.
In order to achieve the above object, the present invention is achieved through the following technical solutions:
On the one hand, a kind of method that the invention provides information encryption transmission, it is applied to trusted agent end, determine the PKI of described trusted agent end, private key and the first mark in advance first, and second mark corresponding with its internal reliable platform module TPM safety chip, and the log-on message comprising described PKI, described first mark and described second mark is sent to management platform, also include:
S1: judge whether the first metric that in described trusted agent end, all parts is current is equal to predetermined first reference value, if so, performs S2;
S2: receive the ciphertext after described public key encryption sent by described management platform, and described ciphertext carries service order;
S3: obtain described service order, and utilize described private key to decipher described ciphertext, it is thus achieved that the key message corresponding with described ciphertext;
S4: utilize described key message, drives described TPM safety chip to perform described service order.
Further, before S2, also include:
First the first reference value of all parts in described trusted agent end is sent to described management platform in advance;
The first current for all parts in described trusted agent end metric is sent to described management platform.
Further, described first mark, including any one in: IP address, title and No. ID or multiple.
Further, after S4, also include: the Business Processing situation corresponding with described service order is fed back to described management platform.
On the other hand, a kind of method that the invention provides information encryption transmission, is applied to management platform, receives the log-on message sent by each trusted agent end in advance first, and according to PKI therein, the first mark and the second mark, each trusted agent end described is carried out node registration;Determine the key message corresponding with the second mark each described first, also include:
S1: judge whether the second metric that in described management platform, all parts is current is equal to predetermined second reference value, if so, performs S2;
S2: obtain the first object mark of the target trusted agent end of input, and obtain the Target Public Key corresponding with described first object mark and the second target identification;
S3: utilize described Target Public Key, encrypts the target critical information corresponding with described second target identification, it is thus achieved that corresponding target ciphertext;
S4: obtain the target service instruction of input, and the described target ciphertext carrying described target service instruction is sent to described target trusted agent end.
Further, before S2, also include:
Receive the first reference value sent by each trusted agent end in advance first;
Receive the first object metric sent by target trusted agent end;
Obtain the first object reference value corresponding with described target trusted agent end;
Judge that whether described first object metric and described first object reference value be equal, if so, perform S2.
On the other hand, the invention provides a kind of trusted agent end, including:
Determine unit, for determining the PKI of described trusted agent end, private key and the first mark first, and second mark corresponding with its internal TPM safety chip, and the log-on message comprising described PKI, described first mark and described second mark is sent to management platform;
Judging unit, for judging whether the first metric that in described trusted agent end, all parts is current is equal to predetermined first reference value, if so, triggers decryption unit;
Described decryption unit, for receiving the ciphertext after described public key encryption sent by described management platform, and described ciphertext carries service order;And obtain described service order, and described private key is utilized to decipher described ciphertext, it is thus achieved that the key message corresponding with described ciphertext;
Processing unit, is used for utilizing described key message, drives described TPM safety chip to perform described service order;
Described TPM safety chip, is used for performing described service order.
Further, this trusted agent end also includes:
Transmitting element, for being sent to described management platform by the first reference value of all parts in described trusted agent end first;And the first current for all parts in described trusted agent end metric is sent to described management platform, and trigger described judging unit.
On the other hand, the invention provides a kind of management platform, including:
First processing unit, for receiving the log-on message sent by each trusted agent end first, and according to PKI therein, the first mark and the second mark, carries out node registration to each trusted agent end described;Determine the key message corresponding with the second mark each described first;
Judging unit, for judging whether the second metric that in described management platform, all parts is current is equal to predetermined second reference value, if so, triggers acquiring unit;
Described acquiring unit, for obtaining the first object mark of the target trusted agent end of input, and obtains the Target Public Key corresponding with described first object mark and the second target identification;
Ciphering unit, is used for utilizing described Target Public Key, encrypts the target critical information corresponding with described second target identification, it is thus achieved that corresponding target ciphertext;
Second processing unit, for obtaining the target service instruction of input, and is sent to described target trusted agent end by the described target ciphertext carrying described target service instruction.
Further, this management platform also includes:
3rd processing unit, for receiving the first reference value sent by each trusted agent end first;Receive the first object metric sent by target trusted agent end;Obtain the first object reference value corresponding with described target trusted agent end;Judge that whether described first object metric and described first object reference value be equal, if so, trigger described acquiring unit.
On the other hand, the invention provides the system of a kind of information encryption transmission, including: at least one any of the above-described trusted agent end, and any of the above-described management platform.
The invention provides a kind of method of information encryption transmission, Apparatus and system, trusted agent end determines the PKI of self, private key and relevant essential information first first, and PKI and essential information is sent to management platform to register;Trusted agent end, when ensureing that its own system is errorless, receives the ciphertext after described public key encryption carrying service order sent by management platform;Utilize described private key to decipher this ciphertext to obtain corresponding key message, and utilize the TPM safety chip within the driving of this key message to perform described service order.Under the premise ensureing management platform system safety, by the System self-test of trusted agent end, encrypted message key transmission means, it is possible to achieve key message transmitting between trusted agent end and management platform.Therefore, the present invention can improve the safety of information encryption transmission.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of the method for a kind of information encryption transmission that one embodiment of the invention provides;
Fig. 2 is the flow chart of the method for the another kind of information encryption transmission that one embodiment of the invention provides;
Fig. 3 is the flow chart of the method for another information encryption transmission that one embodiment of the invention provides;
Fig. 4 is the schematic diagram of a kind of trusted agent end that one embodiment of the invention provides;
Fig. 5 is the schematic diagram of the another kind of trusted agent end that one embodiment of the invention provides;
Fig. 6 is the schematic diagram of a kind of management platform that one embodiment of the invention provides;
Fig. 7 is the schematic diagram of the another kind of management platform that one embodiment of the invention provides;
Fig. 8 is the schematic diagram of the system of a kind of information encryption transmission that one embodiment of the invention provides.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearly; below in conjunction with the accompanying drawing in the embodiment of the present invention; technical scheme in the embodiment of the present invention is clearly and completely described; obviously; described embodiment is a part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention; the every other embodiment that those of ordinary skill in the art obtain under the premise not making creative work, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, a kind of method embodiments providing information encryption transmission, it is applied to trusted agent end, it is possible to comprise the following steps:
Step 101: determine the PKI of described trusted agent end, private key and the first mark in advance first, and the TPM (TrustedPlatformModule internal with it, reliable platform module) safety chip corresponding second mark, and by comprise described PKI, described first mark and described second mark log-on message be sent to management platform.
Step 102: judge whether the first metric that in described trusted agent end, all parts is current is equal to predetermined first reference value, if so, performs step 103.
Step 103: receive the ciphertext after described public key encryption sent by described management platform, and described ciphertext carries service order.
Step 104: obtain described service order, and utilize described private key to decipher described ciphertext, it is thus achieved that the key message corresponding with described ciphertext.
Step 105: utilize described key message, drives described TPM safety chip to perform described service order.
A kind of method embodiments providing information encryption transmission, is applied to trusted agent end, determines the PKI of self, private key and relevant essential information first first, and PKI and essential information is sent to management platform to register;Trusted agent end, when ensureing that its own system is errorless, receives the ciphertext after described public key encryption carrying service order sent by management platform;Utilize described private key to decipher this ciphertext to obtain corresponding key message, and utilize the TPM safety chip within the driving of this key message to perform described service order.Under the premise ensureing management platform system safety, by the System self-test of trusted agent end, encrypted message key transmission means, it is possible to achieve key message transmitting between trusted agent end and management platform.Therefore, the embodiment of the present invention can improve the safety of information encryption transmission.
In a kind of possible implementation, in order to make management platform can interpolate that, whether the system of trusted agent end is safe and reliable, so, before step 103, farther include:
First the first reference value of all parts in described trusted agent end is sent to described management platform in advance;
The first current for all parts in described trusted agent end metric is sent to described management platform.
In a kind of possible implementation, described first mark, including any one in: IP address, title and No. ID or multiple.
In a kind of possible implementation, in order to make management platform will appreciate that the disposition of service order, to be recorded, to manage or to perform relevant treatment, so, after step 105, farther include:
The Business Processing situation corresponding with described service order is fed back to described management platform.
As in figure 2 it is shown, a kind of method embodiments providing information encryption transmission, it is applied to management platform, it is possible to comprise the following steps:
Step 201: receive the log-on message sent by each trusted agent end in advance first, and according to PKI therein, the first mark and the second mark, each trusted agent end described is carried out node registration;Determine the key message corresponding with the second mark each described first.
Step 202: judge whether the second metric that in described management platform, all parts is current is equal to predetermined second reference value, if so, performs step 203.
Step 203: obtain the first object mark of the target trusted agent end of input, and obtain the Target Public Key corresponding with described first object mark and the second target identification.
Step 204: utilize described Target Public Key, encrypts the target critical information corresponding with described second target identification, it is thus achieved that corresponding target ciphertext.
Step 205: obtain the target service instruction of input, and the described target ciphertext carrying described target service instruction is sent to described target trusted agent end.
A kind of method embodiments providing information encryption transmission, is applied to management platform, each trusted agent end carries out node registration in advance first, and determines first and the key message corresponding to each TPM safety chip;Management platform, when ensureing that its own system is errorless, obtains the Target Public Key corresponding with target trusted agent end and key message;This Target Public Key is encrypted this key message to obtain corresponding ciphertext, and the ciphertext carrying service order is sent to this target trusted agent end.Under the premise ensureing target trusted agent end system safety, by the System self-test of management platform, encrypted message key transmission means, it is possible to achieve key message transmitting between trusted agent end and management platform.Therefore, the embodiment of the present invention can improve the safety of information encryption transmission.
In a kind of possible implementation, in order to make management platform can interpolate that, whether the system of target trusted agent end is safe and reliable, so, before step 203, farther include:
Receive the first reference value sent by each trusted agent end in advance first;
Receive the first object metric sent by target trusted agent end;
Obtain the first object reference value corresponding with described target trusted agent end;
Judge that whether described first object metric and described first object reference value be equal, if so, perform step 203.
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.
As it is shown on figure 3, the method that one embodiment of the invention provides information encryption transmission, the method may comprise steps of:
Step 301: each trusted agent end determines the second mark that the PKI of self, private key, the first mark are corresponding with the TPM safety chip of inside all first, and the first reference value of various components inside, and the log-on message comprising PKI, the first mark, the second mark and first reference value is sent to management platform.
In detail, described first mark can include in IP address, title and No. ID any one or multiple.
In detail, described all parts can include in hardware, firmware, hardware driving, systems soft ware and application software any one or multiple.
In the present embodiment, a management platform can at least one trusted agent end of unified management.Obvious, this management mode is readily adaptable for use in other actual scenes, for instance, provincial affairs organization management multiple city-level affairs mechanism.
For example, an existing management platform (iTrustCenter) and three trusted agent ends (iTrustAgent), such as trusted agent end 1, trusted agent end 2 and trusted agent end 3, wherein, these three trusted agent end can be carried out centralized and unified management by this management platform.Each trusted agent end all can as a computing node being provided with TPM safety chip hardware, and the trusted service of responsible present node.
First, each trusted agent end all can pre-set the PKI of self, private key, corresponding with the TPM safety chip of inside the second mark of the first mark and the first reference value of various components inside.For example, it is possible to the PKI arranging trusted agent end 1 is RSA PKI 1, private key is RSA private key 1, and first is designated IP address 1 and No. ID 001, and the second of internally installed TPM safety chip 1 is designated TPM1, the first reference value 1 of various components inside.Same, the information corresponding with trusted agent end 2 is respectively as follows: RSA PKI 2, RSA private key 2,2, No. ID 002, IP address, the internally installed mark TPM2 of TPM safety chip 2, first reference value 2;The information corresponding with trusted agent end 3 is respectively as follows: RSA PKI 3, RSA private key 3,3, No. ID 003, IP address, the internally installed mark TPM3 of TPM safety chip 3, first reference value 3.
Then, each trusted agent end obtains the PKI of self, the first mark, the second mark and first reference value, is assembled into corresponding log-on message, and respective log-on message is sent to management platform.
In the present embodiment, when the TPM safety chip in trusted agent end needs to change, it is possible to be immediately generated the new registration information after replacing, and new registration information is sent to management platform, to carry out the renewal of original log-on message.
In the present embodiment, basic to the PKI corresponding with self, mark etc. log-on message can be reported management platform by arbitrary trusted agent end first automatically, so that management platform completes the first registration warehouse-in of this trusted agent end.This implementation can make management platform system realize automatization dispose, therefore be of value to management platform each trusted agent end is carried out accurately management and information mutual.
Step 302: management platform receives the log-on message sent by each trusted agent end first, and according to log-on message, each trusted agent end is carried out node registration.
Management platform is after receiving the log-on message that each trusted agent end sends first, it can be resolved, and according to parsing the PKI of each trusted agent end, the first mark, the second mark and first reference value, the registration to carry out each trusted agent end is put in storage.
Step 303: management platform determines the Owner password corresponding with each the second mark first.
In the present embodiment, TPM safety chip performs key message necessary to concrete service order can be Owner password.
Owing to TPM safety chip performs the Owner password that concrete service order needs management platform to send, therefore after each trusted agent end is carried out node registration, may determine that the Owner password corresponding with each TPM safety chip, namely set up the corresponding relation of the second mark and Owner password.Such as, corresponding with TPM1, TPM2, TPM3 Owner password respectively Owner password 1, Owner password 2, Owner password 3.
Step 304: management platform regularly obtains the first metric that therein all parts is current, and interpretation its whether equal to predetermined second reference value, if so, perform step 305.
In order to ensure the safe and reliable of the transmission of information between management platform and trusted agent end, the regular daily System self-test of management platform first can be passed through, to ensure the safety of management platform self.
Such as, management platform can regularly obtain the metric of therein all parts, and contrast with corresponding reference value, if it is all identical, then illustrate that management platform its own system is errorless, otherwise, illustrates that management platform self would be likely to occur problem, or by third party's invasion etc., then can stop the connection communication between management platform and any trusted agent end.
Step 305: each trusted agent end all regularly obtains the second metric that therein all parts is current, and sends it to management platform.
On the one hand, identical with management platform, each trusted agent end can also pass through regular daily System self-test, to ensure the safety of self.On the other hand, trusted agent end is after getting self current metric, it is also possible to this metric is sent to management platform, again to go to verify the safety of each trusted agent end from the angle of management platform.
Step 306: management platform receives the second metric sent by each trusted agent end, and obtains the first reference value corresponding with each the second metric.
Owing to reference value is sent to management platform when Node registry by trusted agent end, therefore management platform is after receiving the current metric value that arbitrary trusted agent end sends, metric corresponding thereto can be inquired, and metric reference value corresponding thereto is contrasted, whether abnormal to determine each the trusted agent end managed.
Such as, three trusted agent ends by self current metric, can be sent to management platform by respective IP address tunnel.Management platform is after receiving metric, it is possible to according to corresponding IP address, obtains corresponding reference value from corresponding node register information.
Step 307: management platform, for each the second metric, all judges that whether this second metric and corresponding first reference value be equal, if so, performs step 308, otherwise, corresponding trusted agent end is labeled as abnormality, and terminates current process.
If the reference value that the metric that a certain trusted agent end sends and management platform prestore is unequal, illustrate that trusted agent end would be likely to occur problem, or by third party's invasion etc., then this trusted agent end can be labeled as abnormality, and stop the connection communication between this trusted agent end.Such as, through judging, the metric of three trusted agent ends all keeps consistent with reference value, and explanation can normally be connected communication with it.
Step 308: management platform obtains the first mark of the trusted agent end 1 of staff's input: 001, and obtains the PKI corresponding with 001: RSA PKI 1 and the second mark: TPM1.
When the staff in management platform needs the TPM safety chip 1 in trusted agent end 1 to perform business A, it is possible to the mark 001 of input trusted agent end 1, and the service order A that input is corresponding with business A.Management platform is after the mark 001 getting input, it is possible to according to log-on message, obtains the PKI corresponding with mark 001 and the second mark, respectively RSA PKI 1 and TPM1.
Step 309: management platform utilizes the Owner password 1 that RSA PKI 1 encryption is corresponding with TPM1, it is thus achieved that corresponding ciphertext.
After getting the second mark TPM1, it is possible to by the corresponding relation of predetermined second mark and Owner password, it is thus achieved that corresponding Owner password 1.In order to allow trusted agent end 1 receive this password, and ensure the safe and reliable transmission of this password, such that it is able to utilize the RSA PKI 1 of trusted agent end 1 to encrypt Owner password 1, it is thus achieved that corresponding ciphertext.
By this implementation, it is possible to be encrypted to obtain corresponding ciphertext to performing key message necessary to arbitrary business, and ciphertext is transmitted, thereby may be ensured that the safety in transmitting procedure of this key message.In detail, it is possible to use perform the specific unique RSA PKI of trusted agent end of this business, this key message is encrypted, and the unified private key of non-used management platform is encrypted;And the ciphertext after encryption is sent to this trusted agent end, so that it can utilize self specific corresponding unique RSA private key to be decrypted, thus obtaining this key message.Therefore, this implementation can further enhance the safety in transmitting procedure of this key message, and the transmission being effectively ensured key message is safe and reliable.
Step 310: management platform obtains the service order A of staff's input, and the ciphertext carrying service order A is sent to trusted agent end 1.
Step 311: trusted agent end 1 obtains the 3rd metric that therein all parts is current, and judges its whether corresponding first reference value, if so, performs step 312.
Same as above, trusted agent end 1 is before the ciphertext that receiving management platform sends, it is possible to again its own system is carried out safe self-inspection.In the present embodiment, trusted agent end 1 self-inspection is passed through.
In the present embodiment, it is possible to make each trusted agent end and management platform all be periodically subject to the daily self-inspection of safety, by management platform, each trusted agent end is carried out uniform time safety quality inspection, with the mutual both sides' inherently safe of guarantee information, reliable simultaneously.By this implementation, it is possible on the basis of encrypted message key transmission, it is safe and reliable that the information that is further ensured that is transmitted.
Step 312: trusted agent end 1 receives the ciphertext carrying service order A sent by management platform, obtains service order A, and utilizes the private key of self: RSA private key 1 decrypting ciphertext, it is thus achieved that Owner password 1.
After getting ciphertext, first can obtain the service order A entrained by ciphertext, and read self private key RSA private key 1 with decrypting ciphertext, it is hereby achieved that Owner password 1.
Owing to only trusted agent end self holds the unique private of oneself, even if therefore encryption after key message in transmitting procedure by third party malice intercept and capture, this third party still can not obtain this key message.Therefore, this implementation is of value to the safety of key message, credible delivery.
Step 313: trusted agent end 1 utilizes Owner password 1, the TPM safety chip 1 within driving performs service order A.
Step 314: the Business Processing situation corresponding with service order A is fed back to management platform by trusted agent end 1.
In the present embodiment, regardless of the disposition of service order, all this disposition can be fed back to management platform, in order to management platform is recorded, manages, and perform respective handling.Such as, after trusted agent end 1 utilizes the internal TPM safety chip 1 successful execution business A corresponding with service order A, it is possible to be sent to management platform by comprising the service order A notification message run succeeded, so that management platform carries out information record.
In the present embodiment, the staff requirement's arbitrary trusted agent end primarily illustrating management platform performs the operating process of concrete business, it will be apparent that, arbitrary equally possible active of trusted agent end communicates with management platform.Such as, when trusted agent end 2 needs again to perform business B, it is possible to by the service order B corresponding with business B, and the mark TPM2 of internal TPM safety chip 2 is combined, and the information after combination is sent to management platform.Management platform is after getting this combined information, it is possible to it is audited, audit errorless after, obtain the Owner password 2 corresponding with TPM2, and obtain corresponding RSA PKI 2, and the Owner password 2 after RSA PKI 2 is encrypted is sent to trusted agent end 2.
Additionally, further, trusted agent end 2 is when actively sending information to management platform, and the equally possible RSA private key 2 utilizing self to preserve encrypts information to be transmitted, and management platform is receiving after this adds confidential information, it is possible to use corresponding RSA PKI 2 is decrypted.The safe and reliable transmission between mutual both sides of the equally possible guarantee information of this implementation.
As shown in Figure 4, embodiments provide a kind of trusted agent end 40, including:
Determine unit 401, for determining the PKI of described trusted agent end, private key and the first mark first, and second mark corresponding with its internal TPM safety chip 402, and the log-on message comprising described PKI, described first mark and described second mark is sent to management platform;
Judging unit 403, for judging whether the first metric that in described trusted agent end, all parts is current is equal to predetermined first reference value, if so, triggers decryption unit 404;
Described decryption unit 404, for receiving the ciphertext after described public key encryption sent by described management platform, and described ciphertext carries service order;And obtain described service order, and described private key is utilized to decipher described ciphertext, it is thus achieved that the key message corresponding with described ciphertext;
Processing unit 405, is used for utilizing described key message, drives described TPM safety chip 402 to perform described service order;
Described TPM safety chip 402, is used for performing described service order.
In one embodiment of the invention, refer to Fig. 5, this trusted agent end 40, it is also possible to including:
Transmitting element 501, for being sent to described management platform by the first reference value of all parts in described trusted agent end first;And the first current for all parts in described trusted agent end metric is sent to described management platform, and trigger described judging unit 403.
As shown in Figure 6, embodiments provide a kind of management platform 60, including:
First processing unit 601, for receiving the log-on message sent by each trusted agent end first, and according to PKI therein, the first mark and the second mark, carries out node registration to each trusted agent end described;Determine the key message corresponding with the second mark each described first;
Judging unit 602, for judging whether the second metric that in described management platform, all parts is current is equal to predetermined second reference value, if so, triggers acquiring unit 603;
Described acquiring unit 603, for obtaining the first object mark of the target trusted agent end of input, and obtains the Target Public Key corresponding with described first object mark and the second target identification;
Ciphering unit 604, is used for utilizing described Target Public Key, encrypts the target critical information corresponding with described second target identification, it is thus achieved that corresponding target ciphertext;
Second processing unit 605, for obtaining the target service instruction of input, and is sent to described target trusted agent end by the described target ciphertext carrying described target service instruction.
In one embodiment of the invention, refer to Fig. 7, this management platform 60, it is also possible to including:
3rd processing unit 701, for receiving the first reference value sent by each trusted agent end first;Receive the first object metric sent by target trusted agent end;Obtain the first object reference value corresponding with described target trusted agent end;Judge that whether described first object metric and described first object reference value be equal, if so, trigger described acquiring unit 603.
As shown in Figure 8, embodiments provide the system of a kind of information encryption transmission, including: at least one any of the above-described trusted agent end 40, and any of the above-described management platform 60.
The contents such as the information between each unit in said apparatus is mutual, execution process, due to the inventive method embodiment based on same design, particular content referring to the narration in the inventive method embodiment, can repeat no more herein.
In sum, each embodiment of the present invention at least has the advantages that
1, in the embodiment of the present invention, trusted agent end determines the PKI of self, private key and relevant essential information first first, and PKI and essential information is sent to management platform to register;Trusted agent end, when ensureing that its own system is errorless, receives the ciphertext after described public key encryption carrying service order sent by management platform;Utilize described private key to decipher this ciphertext to obtain corresponding key message, and utilize the TPM safety chip within the driving of this key message to perform described service order.Under the premise ensureing management platform system safety, by the System self-test of trusted agent end, encrypted message key transmission means, it is possible to achieve key message transmitting between trusted agent end and management platform.Therefore, the embodiment of the present invention can improve the safety of information encryption transmission.
2, in the embodiment of the present invention, each trusted agent end is carried out node registration by management platform in advance first, and determines first and the key message corresponding to each TPM safety chip;Management platform, when ensureing that its own system is errorless, obtains the Target Public Key corresponding with target trusted agent end and key message;This Target Public Key is encrypted this key message to obtain corresponding ciphertext, and the ciphertext carrying service order is sent to this target trusted agent end.Under the premise ensureing target trusted agent end system safety, by the System self-test of management platform, encrypted message key transmission means, it is possible to achieve key message transmitting between trusted agent end and management platform.Therefore, the embodiment of the present invention can improve the safety of information encryption transmission.
3, in the embodiment of the present invention, basic to the PKI corresponding with self, mark etc. log-on message can be reported management platform by arbitrary trusted agent end first automatically, so that management platform completes the first registration warehouse-in of this trusted agent end.This implementation can make management platform system realize automatization dispose, therefore be of value to management platform each trusted agent end is carried out accurately management and information mutual.
4, in the embodiment of the present invention, it is possible to be encrypted to obtain corresponding ciphertext to performing key message necessary to arbitrary business, and ciphertext is transmitted, thereby may be ensured that the safety in transmitting procedure of this key message.In detail, it is possible to use perform the specific unique RSA PKI of trusted agent end of this business, this key message is encrypted, and the unified private key of non-used management platform is encrypted;And the ciphertext after encryption is sent to this trusted agent end, so that it can utilize self specific corresponding unique RSA private key to be decrypted, thus obtaining this key message.Therefore, this implementation can further enhance the safety in transmitting procedure of this key message, and the transmission being effectively ensured key message is safe and reliable.
5, in the embodiment of the present invention, each trusted agent end and management platform can be made all to be periodically subject to the daily self-inspection of safety, simultaneously by management platform, each trusted agent end is carried out uniform time safety quality inspection, with the mutual both sides' inherently safe of guarantee information, reliable.By this implementation, it is possible on the basis of encrypted message key transmission, it is safe and reliable that the information that is further ensured that is transmitted.
6, in the embodiment of the present invention, owing to only trusted agent end self holds the unique private of oneself, even if therefore encryption after key message in transmitting procedure by third party malice intercept and capture, this third party still can not obtain this key message.Therefore, this implementation is of value to the safety of key message, credible delivery.
7, in the embodiment of the present invention, trusted agent end when actively sending information to management platform, the equally possible RSA encrypted private key information to be transmitted utilizing self to preserve, and management platform is receiving after this adds confidential information, it is possible to use corresponding RSA PKI is decrypted.The safe and reliable transmission between mutual both sides of the equally possible guarantee information of this implementation.
It should be noted that, in this article, the relational terms of such as first and second etc is used merely to separate an entity or operation with another entity or operating space, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " includes ", " comprising " or its any other variant are intended to comprising of nonexcludability, so that include the process of a series of key element, method, article or equipment not only include those key elements, but also include other key elements being not expressly set out, or also include the key element intrinsic for this process, method, article or equipment.When there is no more restriction, statement " including " key element limited, it is not excluded that there is also other same factor in including the process of described key element, method, article or equipment.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in the storage medium of embodied on computer readable, this program upon execution, performs to include the step of said method embodiment;And aforesaid storage medium includes: in the various media that can store program code such as ROM, RAM, magnetic disc or CD.
Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate technical scheme, is not intended to limit protection scope of the present invention.All make within the spirit and principles in the present invention any amendment, equivalent replacement, improvement etc., be all contained in protection scope of the present invention.

Claims (10)

1. the method for an information encryption transmission, it is characterized in that, it is applied to trusted agent end, determine the PKI of described trusted agent end, private key and the first mark in advance first, and second mark corresponding with its internal reliable platform module TPM safety chip, and the log-on message comprising described PKI, described first mark and described second mark is sent to management platform, also include:
S1: judge whether the first metric that in described trusted agent end, all parts is current is equal to predetermined first reference value, if so, performs S2;
S2: receive the ciphertext after described public key encryption sent by described management platform, and described ciphertext carries service order;
S3: obtain described service order, and utilize described private key to decipher described ciphertext, it is thus achieved that the key message corresponding with described ciphertext;
S4: utilize described key message, drives described TPM safety chip to perform described service order.
2. method according to claim 1, it is characterised in that before S2, farther include:
First the first reference value of all parts in described trusted agent end is sent to described management platform in advance;
The first current for all parts in described trusted agent end metric is sent to described management platform.
3. according to described method arbitrary in claim 1 and 2, it is characterised in that
Described first mark, including any one in: IP address, title and No. ID or multiple;
And/or,
After S4, farther include:
The Business Processing situation corresponding with described service order is fed back to described management platform.
4. the method for an information encryption transmission, it is characterized in that, be applied to management platform, receive the log-on message sent by each trusted agent end in advance first, and according to PKI therein, the first mark and the second mark, each trusted agent end described is carried out node registration;Determine the key message corresponding with the second mark each described first, also include:
S1: judge whether the second metric that in described management platform, all parts is current is equal to predetermined second reference value, if so, performs S2;
S2: obtain the first object mark of the target trusted agent end of input, and obtain the Target Public Key corresponding with described first object mark and the second target identification;
S3: utilize described Target Public Key, encrypts the target critical information corresponding with described second target identification, it is thus achieved that corresponding target ciphertext;
S4: obtain the target service instruction of input, and the described target ciphertext carrying described target service instruction is sent to described target trusted agent end.
5. method according to claim 4, it is characterised in that before S2, farther include:
Receive the first reference value sent by each trusted agent end in advance first;
Receive the first object metric sent by target trusted agent end;
Obtain the first object reference value corresponding with described target trusted agent end;
Judge that whether described first object metric and described first object reference value be equal, if so, perform S2.
6. a trusted agent end, it is characterised in that including:
Determine unit, for determining the PKI of described trusted agent end, private key and the first mark first, and second mark corresponding with its internal TPM safety chip, and the log-on message comprising described PKI, described first mark and described second mark is sent to management platform;
Judging unit, for judging whether the first metric that in described trusted agent end, all parts is current is equal to predetermined first reference value, if so, triggers decryption unit;
Described decryption unit, for receiving the ciphertext after described public key encryption sent by described management platform, and described ciphertext carries service order;And obtain described service order, and described private key is utilized to decipher described ciphertext, it is thus achieved that the key message corresponding with described ciphertext;
Processing unit, is used for utilizing described key message, drives described TPM safety chip to perform described service order;
Described TPM safety chip, is used for performing described service order.
7. the trusted agent end according to claim 6, it is characterised in that also include:
Transmitting element, for being sent to described management platform by the first reference value of all parts in described trusted agent end first;And the first current for all parts in described trusted agent end metric is sent to described management platform, and trigger described judging unit.
8. a management platform, it is characterised in that including:
First processing unit, for receiving the log-on message sent by each trusted agent end first, and according to PKI therein, the first mark and the second mark, carries out node registration to each trusted agent end described;Determine the key message corresponding with the second mark each described first;
Judging unit, for judging whether the second metric that in described management platform, all parts is current is equal to predetermined second reference value, if so, triggers acquiring unit;
Described acquiring unit, for obtaining the first object mark of the target trusted agent end of input, and obtains the Target Public Key corresponding with described first object mark and the second target identification;
Ciphering unit, is used for utilizing described Target Public Key, encrypts the target critical information corresponding with described second target identification, it is thus achieved that corresponding target ciphertext;
Second processing unit, for obtaining the target service instruction of input, and is sent to described target trusted agent end by the described target ciphertext carrying described target service instruction.
9. according to Claim 8 described in management platform, it is characterised in that also include:
3rd processing unit, for receiving the first reference value sent by each trusted agent end first;Receive the first object metric sent by target trusted agent end;Obtain the first object reference value corresponding with described target trusted agent end;Judge that whether described first object metric and described first object reference value be equal, if so, trigger described acquiring unit.
10. the system of an information encryption transmission, it is characterised in that including: the trusted agent end as described at least one is arbitrary in claim 6 and 7, and arbitrary in claim 8 and 9 as described in management platform.
CN201610206203.5A 2016-04-05 2016-04-05 Information encrypted transmission method, device and system Pending CN105743918A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610206203.5A CN105743918A (en) 2016-04-05 2016-04-05 Information encrypted transmission method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610206203.5A CN105743918A (en) 2016-04-05 2016-04-05 Information encrypted transmission method, device and system

Publications (1)

Publication Number Publication Date
CN105743918A true CN105743918A (en) 2016-07-06

Family

ID=56252797

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610206203.5A Pending CN105743918A (en) 2016-04-05 2016-04-05 Information encrypted transmission method, device and system

Country Status (1)

Country Link
CN (1) CN105743918A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1740940A (en) * 2005-09-09 2006-03-01 北京兆日科技有限责任公司 Method for realizing computer software intruder preventing edition based on confidence computation module chip
US20120324238A1 (en) * 2011-06-15 2012-12-20 Ricoh Company, Ltd. Information processing apparatus, verification method, and storage medium storing verification program
CN105162602A (en) * 2015-09-01 2015-12-16 中国互联网络信息中心 Trusted network identity management and verification system and method
CN105227319A (en) * 2015-10-23 2016-01-06 浪潮电子信息产业股份有限公司 A kind of method of authentication server and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1740940A (en) * 2005-09-09 2006-03-01 北京兆日科技有限责任公司 Method for realizing computer software intruder preventing edition based on confidence computation module chip
US20120324238A1 (en) * 2011-06-15 2012-12-20 Ricoh Company, Ltd. Information processing apparatus, verification method, and storage medium storing verification program
CN105162602A (en) * 2015-09-01 2015-12-16 中国互联网络信息中心 Trusted network identity management and verification system and method
CN105227319A (en) * 2015-10-23 2016-01-06 浪潮电子信息产业股份有限公司 A kind of method of authentication server and device

Similar Documents

Publication Publication Date Title
US11119905B2 (en) System and method for managing electronic assets
CN100380274C (en) Method and system for backup and restore of a context encryption key
US9678896B2 (en) System and method for hardware based security
US10102500B2 (en) System and method for performing serialization of devices
EP2104892B1 (en) Secure archive
US20110010770A1 (en) System and method for performing key injection to devices
US20170091463A1 (en) Secure Audit Logging
CN108347361B (en) Application program testing method and device, computer equipment and storage medium
CN112182609A (en) Block chain-based data uplink storage method and tracing method, device and equipment
CN104756127A (en) Secure data handling by a virtual machine
CN104769606A (en) System and method for providing a secure computational environment
CN105100076A (en) Cloud data security system based on USB Key
CN101426012A (en) Software module management device
US9215070B2 (en) Method for the cryptographic protection of an application
US10680799B2 (en) Secure remote aggregation
JP2017514390A (en) Method and system for protecting electronic data exchange between industrial programmable devices and portable programmable devices
CN112332975A (en) Internet of things equipment secure communication method and system
CN109302501B (en) Industrial control data storage method, device and system based on block chain technology
CN104735020A (en) Method, device and system for acquiring sensitive data
CN112865965B (en) Train service data processing method and system based on quantum key
CN105743918A (en) Information encrypted transmission method, device and system
CN108809651A (en) Key pair management method and terminal
CN112305986B (en) PLC protection system, method and medium based on verification separation
CN110476432A (en) Monitor the protection of media
WO2024102265A1 (en) Anti-cloning of device cryptographic keys for counterfeit prevention

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160706