CN106712932B - Key management method, apparatus and system - Google Patents
Key management method, apparatus and system Download PDFInfo
- Publication number
- CN106712932B CN106712932B CN201610579122.XA CN201610579122A CN106712932B CN 106712932 B CN106712932 B CN 106712932B CN 201610579122 A CN201610579122 A CN 201610579122A CN 106712932 B CN106712932 B CN 106712932B
- Authority
- CN
- China
- Prior art keywords
- key
- session
- client
- ciphertext
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Abstract
The invention discloses a kind of key management methods, apparatus and system, belong to field of information security technology.The described method includes: client generates temporary key, temporary key is encrypted to obtain the first ciphertext using the public key that background server provides, and be sent to background server;Background server decrypts the first ciphertext using private key corresponding with public key to obtain temporary key, obtains session key and key identification, encrypts to obtain the second ciphertext to session key and key identification using temporary key, and be sent to client;Client decrypts to obtain session key and key identification using temporary key to the second ciphertext;Wherein, key identification is for identifying session key, and session key is for the data encryption to session.The present invention take into account key safety and encryption and decryption high efficiency under the premise of, also simplify the complexity that background server is managed key, save the processing and storage resource of background server.
Description
Technical field
The present invention relates to field of information security technology, in particular to a kind of key management method, apparatus and system.
Background technique
Currently, the cipher mode of data includes symmetric cryptography (Symmetric Cryptography) and asymmetric encryption
(Asymmetric Cryptography) two classes.
Symmetric cryptography mode is a kind of quick, simple cipher mode, encryption (encryption) and decryption
(decryption) be same key (secret key).Symmetric cryptography mode usually using relatively small key,
Generally less than 256bit (bit).Because key is bigger, encryption is stronger, but the process for encrypting and decrypting is slower.The size of key
It needs to weigh safety and efficiency.Typically, AES (AdvancedEncryption Standard, Advanced Encryption Standard) is used
Be symmetric cryptography mode, in cryptography be also known as Rijndael enciphered method.For 256Byte (byte) plaintext, estimation speed
Degree is in 900,000 times/second.For symmetric cryptography mode since encryption and decryption use same key, advantage is encryption and decryption
Speed it is fast, but its disadvantage is that communication two party needs to arrange key in advance, if key is transmitted by network, safety is not
It can guarantee.
Asymmetric encryption mode provides a kind of very safe method for the encryption and decryption of data, using a pair of close
Key, public key (public key) and private key (private key).Private key can only cannot be leaked by side's safekeeping, and public key
Any party in request can then be issued.Asymmetric encryption mode is decrypted usually using public key encryption using private key.With symmetric cryptography
The difference is that since private key does not have in transmission over networks, safety is improved mode.Currently, common asymmetric
Encryption Algorithm is a kind of RSA (Rivest ShamirAdleman, public key encryption algorithm) algorithm.The advantage of asymmetric encryption mode
Highly-safe, but its disadvantage be encryption and decryption speed it is slow.For the key of 1024bit, estimation decryption speed is in 1000-
1400 times/second, are slightly different according to hardware.
It based on this, is encrypted and decrypted using the data that symmetric cryptography mode transmits needs, but symmetric cryptography mode
Used key is transmitted by asymmetric encryption mode, both ensure that key used in symmetric cryptography mode was not direct in this way
It is exposed on network, in turn ensures the high efficiency of encryption and decryption.Specifically, in the prior art, one side of communication firstly generates one
A random number is as symmetric key, using the public key of communication opposite end offer to the symmetric key encryption, and will be encrypted symmetrical
Key is sent to communication opposite end;Opposite end is communicated using the symmetric key decryption after private key pair encryption corresponding with above-mentioned public key, is obtained
To symmetric key.Later, it communicates a side and communicates and the data transmitted between the two are carried out using the symmetric key between opposite end
Encryption and decryption.
In view of the business scenarios using C/S (Client/Server, client/server) framework some at present, client
The day at end, quantity living can reach ten million magnitude even more than one hundred million magnitudes, and the number of sessions between client and server is quite huge,
This results in server to need to expend a large amount of resource to manage symmetric key.
Summary of the invention
Symmetric key is managed in order to solve the problems, such as that server needs to expend a large amount of resource in the prior art, the present invention
Embodiment provides a kind of key management method, apparatus and system.The technical solution is as follows:
In a first aspect, providing a kind of key management method, which comprises
Generate temporary key;
The temporary key is encrypted using the public key that background server provides, obtains the first ciphertext;
Authentication request is sent to the background server, carries first ciphertext in the authentication request;
The Authentication Response that the background server is sent is received, carries the second ciphertext in the Authentication Response, described second
Ciphertext is the ciphertext encrypted using the temporary key to session key and key identification;Wherein, the temporary key is
The background server detects described GUID pairs after obtaining the corresponding globally unique identifier GUID of equipment where client
First ciphertext is decrypted to obtain using private key corresponding with the public key when authentication request number answered is less than preset threshold
, the key identification is for identifying session key, and the session key is for the data encryption to the session;
Second ciphertext is decrypted using the temporary key, obtains the session key and the key identification.
Second aspect provides a kind of key management method, which comprises
The authentication request that client is sent is received, carries the first ciphertext in the authentication request, first ciphertext is to adopt
The ciphertext that temporary key is encrypted with the public key that local terminal provides;
The corresponding globally unique identifier GUID of equipment where obtaining the client;
Obtain the corresponding authentication request number of the GUID;
It is close to described first using private key corresponding with the public key if the authentication request number is less than preset threshold
Text decryption, obtains the temporary key;
Obtain session key and key identification;Wherein, the key identification is for identifying session key, the session key
For the data encryption to the session;
The session key and the key identification are encrypted using the temporary key, obtain the second ciphertext;
Authentication Response is sent to the client, carries second ciphertext in the Authentication Response.
The third aspect, provides a kind of key management apparatus, and described device includes:
Key production module, for generating temporary key;
First encrypting module, the public key for being provided using background server encrypt the temporary key, obtain first
Ciphertext;
Request sending module, for sending authentication request to the background server, in the authentication request described in carrying
First ciphertext;
Receiving module is responded, for receiving the Authentication Response of the background server transmission, is carried in the Authentication Response
Second ciphertext, second ciphertext are the ciphertexts encrypted using the temporary key to session key and key identification;Its
In, the temporary key is that the background server is obtaining the corresponding globally unique identifier GUID of equipment where client
Afterwards, it detects when the corresponding authentication request number of the GUID is less than preset threshold using private key corresponding with the public key to institute
State what the first ciphertext was decrypted, the key identification is used for for identifying session key, the session key to the session
Data encryption;
First deciphering module obtains the session key for decrypting using the temporary key to second ciphertext
With the key identification.
Fourth aspect, provides a kind of key management apparatus, and described device includes:
Request receiving module carries the first ciphertext for receiving the authentication request of client transmission, in the authentication request,
First ciphertext is the ciphertext that the public key provided using local terminal encrypts temporary key;
Identifier acquisition module, for the corresponding globally unique identifier GUID of equipment where obtaining the client;
Number obtains module, for obtaining the corresponding authentication request number of the GUID;
Second deciphering module is used for when the authentication request number is less than preset threshold, using corresponding with the public key
Private key first ciphertext is decrypted, obtain the temporary key;
Key Acquisition Module, for obtaining session key and key identification;Wherein, the key identification is for identifying session
Key, the session key is for the data encryption to the session;
Second encrypting module is obtained for being encrypted using the temporary key to the session key and the key identification
To the second ciphertext;
Sending module is responded, for sending Authentication Response to the client, carries described second in the Authentication Response
Ciphertext.
5th aspect, provides a kind of key management system, the system comprises: client and background server;
The client includes the key management apparatus as described in the third aspect;
The background server includes the key management apparatus as described in fourth aspect.
6th aspect, provides a kind of computer readable storage medium, the computer-readable recording medium storage has journey
Sequence, described program are executed by processor to realize key management method as described in relation to the first aspect.
7th aspect, provides a kind of computer readable storage medium, the computer-readable recording medium storage has journey
Sequence, described program are executed as processor to realize the key management method as described in second aspect.
Technical solution bring beneficial effect provided in an embodiment of the present invention includes:
Background server, background service are sent to after encrypting using asymmetric encryption mode to temporary key by client
Device is decrypted after obtaining temporary key, encrypts to obtain the second ciphertext to session key and key identification using the temporary key, and will
Second ciphertext is sent to client, and client decrypts the second ciphertext using temporary key, obtains session key and key identification,
In order to which client is subsequent when conversating with background server, encryption and decryption is carried out using data of the session key to session;
It solves in the prior art since the number of sessions between client and server is quite huge, server is caused to need to expend greatly
The resource of amount is come the problem of managing symmetric key;The symmetric key generated by client is directlyed adopt compared to the prior art to meeting
The data of words carry out encryption and decryption, and the embodiment of the present invention uses the session key provided by background server to carry out the data of session
Encryption and decryption, so that background server only needs management session key, the key without generating to a large amount of clients is managed,
To simplify the complexity that background server is managed key, and help to save the resource of background server.
Technical solution provided in an embodiment of the present invention, in the premise of the high efficiency of the safety and encryption and decryption that take into account key
Under, the complexity that background server is managed key is also simplified, the processing and storage resource of background server are saved.
Therefore, key managing project provided in an embodiment of the present invention can be perfectly suitable for a large amount of high concurrent business scenarios, such as C/S
The business scenario of framework, even if the day of client quantity living reaches ten million magnitude even more than one hundred million magnitudes, even if client and service
Number of sessions between device is quite huge, server also can simply and effectively managing encrypted required key, and ensure client
The safety and encryption and decryption efficiency of data transmission between end and server.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the schematic diagram of implementation environment provided by one embodiment of the present invention;
Fig. 2 be another embodiment of the present invention provides implementation environment schematic diagram;
Fig. 3 is the flow chart of key management method provided by one embodiment of the present invention;
Fig. 4 be another embodiment of the present invention provides key management method flow chart;
Fig. 5 is the flow chart for the authorization phase that one embodiment of the invention is related to;
Fig. 6 is the flow chart for the data communication phase that one embodiment of the invention is related to;
Fig. 7 is the block diagram of key management apparatus provided by one embodiment of the present invention;
Fig. 8 be another embodiment of the present invention provides key management apparatus block diagram;
Fig. 9 is the block diagram of key management system provided by one embodiment of the present invention;
Figure 10 is the structural schematic diagram of terminal provided by one embodiment of the present invention;
Figure 11 is the structural schematic diagram of server provided by one embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
Referring to FIG. 1, it illustrates the schematic diagrames of implementation environment provided by one embodiment of the present invention.With C/S framework
For business scenario, which includes: at least one terminal 11 and background server 12.
Mountable operation client in terminal 11.In embodiments of the present invention, the type of client is not construed as limiting, such as
Client can be instant communication client, social application client, payment applications client, video playing client, etc..
Terminal 11 can be mobile phone, tablet computer, E-book reader, multimedia play equipment, laptop portable computer or
The electronic equipments such as desktop computer.
Between terminal 11 and background server 12 communication connection can be established by cable network or wireless network.
Background server 12 can be a server, be also possible to the server cluster being made of multiple servers, or
Person is a cloud computing service center.
In one example, by taking the server cluster that background server 12 is made of multiple servers as an example, such as Fig. 2 institute
Show, background server 12 includes: access server 121, service server 122, Authentication Center server 123 and key management clothes
Business device 124.
Access server 121 be between client and service server 122 and Authentication Center server 123 data transmitting and
The medium of distribution.Access server 121 by network respectively with service server 122, Authentication Center server 123 and key pipe
It manages server 124 and establishes communication connection.
Service server 122 is used to provide business service to client.In embodiments of the present invention, to service server
Type of service provided by 122 is not construed as limiting, such as instant messaging service, social business, payment transaction, video traffic, etc..
Authentication Center server 123 is used to provide authentication service to client, key needed for providing encryption for client.
Authentication Center server 123 is established by network and Key Management server 124 and is communicated to connect.
Key Management server 124 is for managing key.Optionally, Authentication Center server 123 and cipher key management services
Device 124 can be two mutually independent servers or Authentication Center server 123 and Key Management server 124 can also
To be integrated into a server.
Technical solution provided in an embodiment of the present invention, can be applied to it is any required to the data transmitted between communication both ends into
The business scenario of row encryption.In embodiments of the present invention, it is only illustrated by taking the business scenario of C/S framework as an example.But
The embodiment of the present invention is not defined the equipment at communication both ends.For example, the equipment at communication both ends can be operation and have client
The terminal and background server at end, are also possible to terminal and base station or server and server, etc..
Referring to FIG. 3, it illustrates the flow charts of key management method provided by one embodiment of the present invention.This method can
Applied in implementation environment shown in Fig. 1.This method may include the following steps.
Step 301, client generates temporary key.
Step 302, client encrypts temporary key using the public key that background server provides, and obtains the first ciphertext.
Step 303, client sends authentication request to background server, carries the first ciphertext in authentication request.
Correspondingly, background server receives the authentication request that client is sent.
Step 304, background server decrypts the first ciphertext using private key corresponding with public key, obtains temporary key.
Step 305, background server obtains session key and key identification;Wherein, key identification is close for identifying session
Key, session key is for the data encryption to session.
Step 306, background server encrypts session key and key identification using temporary key, obtains the second ciphertext.
Step 307, background server sends Authentication Response to client, carries the second ciphertext in Authentication Response.
Correspondingly, client receives the Authentication Response that background server is sent.
Step 308, client decrypts the second ciphertext using temporary key, obtains session key and key identification.
In conclusion method provided in this embodiment, adds temporary key using asymmetric encryption mode by client
Background server is sent to after close, background server is decrypted after obtaining temporary key, using the temporary key to session key and
Key identification encrypts to obtain the second ciphertext, and the second ciphertext is sent to client, and client is close to second using temporary key
Text decryption, obtains session key and key identification, in order to which client is subsequent when conversating with background server, using meeting
The data for talking about key pair session carry out encryption and decryption;It solves in the prior art due to the number of sessions between client and server
It is quite huge, cause server to need to expend a large amount of resource come the problem of managing symmetric key;Compared to the prior art directly
Encryption and decryption is carried out using data of the symmetric key generated by client to session, the embodiment of the present invention is used by background server
The session key of offer carries out encryption and decryption to the data of session, so that background server only needs management session key, is not necessarily to
The key generated to a large amount of clients is managed, so that the complexity that background server is managed key is simplified, and
Facilitate the resource of saving background server.
Technical solution provided in an embodiment of the present invention, in the premise of the high efficiency of the safety and encryption and decryption that take into account key
Under, the complexity that background server is managed key is also simplified, the processing and storage resource of background server are saved.
Therefore, key managing project provided in an embodiment of the present invention can be perfectly suitable for a large amount of high concurrent business scenarios, such as C/S
The business scenario of framework, even if the day of client quantity living reaches ten million magnitude even more than one hundred million magnitudes, even if client and service
Number of sessions between device is quite huge, server also can simply and effectively managing encrypted required key, and ensure client
The safety and encryption and decryption efficiency of data transmission between end and server.
In embodiments of the present invention, session (session) referred within a unbroken specific operation time, two
Communication interaction between equipment.All data packets mutually transmitted between an ession for telecommunication, two equipment belong to the meeting
Words.In one example, by taking the business scenario of C/S framework as an example, session can be certain primary " call of client and server
Process ", primary complete request and Recovery Process.
Referring to FIG. 4, it illustrates another embodiment of the present invention provides key management method flow chart.This method can
Applied in implementation environment shown in Fig. 1.This method may include the following steps.
Step 401, client generates temporary key.
In one example, temporary key is generated using random number generator.Temporary key is symmetric key.
It should be noted that in embodiments of the present invention, temporary key is not intended to carry out encryption and decryption to the data of session
Key, temporary key is only used for carrying out session key encryption and decryption, session key be just actually used for the data of session into
The key of row encryption and decryption.
Step 402, client encrypts temporary key using the public key that background server provides, and obtains the first ciphertext.
Public key is to be distributed to client in advance by background server.In one example, background server writes public key
Enter binary file, which carries the digital signature of development company corresponding to client, and background server will
Binary file with digital signature is sent to client, guarantees that file is not tampered and forges with this, so that it is guaranteed that public
Key safely issues.Optionally, public key can be updated with the update of the binary file, when background server enables new public affairs
After key, the binary file with the new public key can be sent to client again.
After client generates temporary key, according to asymmetric encryption mode, the public key pair provided using background server
Temporary key encryption, obtains the first ciphertext.
Step 403, client sends authentication request to background server, carries the first ciphertext in authentication request.
Authentication request is client in the case where the authentication is passed for requesting background server to authenticate client
Key needed for end distribution encryption session data.
Correspondingly, background server receives the authentication request that client is sent.
Further, since temporary key is that the public key provided using background server is encrypted, even if authentication request quilt
Malicious user, which is monitored, to be obtained, and since there is no private keys corresponding with the public key for it, also the first ciphertext can not be decrypted
Temporary key out.Therefore, the available guarantee of the safety of temporary key, so that the safety of the session key of subsequent transmission
Property can also be guaranteed.
Step 404, background server decrypts the first ciphertext using private key corresponding with public key, obtains temporary key.
After background server receives authentication request, according to asymmetric encryption mode, using private key corresponding with public key
First ciphertext is decrypted, temporary key is obtained.
Step 405, background server obtains session key and key identification.
Wherein, key identification is for identifying session key, and session key is for the data encryption to session.Session key is
Symmetric key.Optionally, session key is a continuous byte stream, the generally integral multiple of 128bit, is generating random number
Produced by device.Key identification is used for unique identification session key, and the same key identification can be used in different sessions, different
Key identification corresponds to different session keys.Optionally, key identification is 64 integers.
In one example, background server generates session key using random number generator, and generates and correspond to session
The key identification of key.In addition, the corresponding storage session key of background server and key identification.
In another example, background server chooses one group of corresponding session key and key identification from prestored secret key.
It wherein, include at least one set of corresponding session key and key identification in prestored secret key.Prestored secret key is pre- by background server
First generates and store.Prestored secret key can store in the Cache (cache memory) of background server, or can also
To be stored in a file destination.In one example, prestored secret key is not only stored in Cache, but also backup is stored in target
In file, in order to which when Cache breaks down, standby is used.
There are one-to-one relationships between key identification and session key.Optionally, each session key has corresponding
Validity period, session key is effective within validity period, otherwise session key fail.The validity period of session key can be in session
Corresponding setting when key generates.For different session keys, the duration of validity period is usually identical, but can also be different, this reality
It applies example and this is not construed as limiting.In addition, in the present embodiment, being also not construed as limiting to the entry-into-force time of the validity period of session key, example
If the validity period of session key can come into effect when session key generates, can also send in background server to client should
It comes into effect when session key, or comes into effect when client receives the session key.
Client carries out encryption and decryption to session data using the session key of effective status (namely without departing from validity period),
After session key failure (namely exceeding validity period), client can be close from the new effective session of background server request
Key.Therefore, the execution opportunity of above-mentioned steps 403 can be when existing session key is no longer valid, or be also possible to work as
When client needs to initiate session and no longer valid existing session key to background server.If existing session key is also
It does not fail, existing session key can be used to carry out encryption and decryption to session data for client, without asking again from background server
It asks and obtains new session key.
Optionally, background server chooses one group of corresponding session key and key identification from prestored secret key, it may include
Following several sub-steps:
1, background server obtains corresponding IP (Internet Protocol, the Internet protocol) address of client;
For example, background server parses the data packet for the authentication request that client is sent, parses and obtain from packet header
Take the corresponding IP address of client.
2, background server determines that key selection range, key selection range include the portion in prestored secret key according to IP address
The corresponding session key of split-phase and key identification;
Background server can be segmented prestored secret key, and prestored secret key is divided into multistage, Mei Yiduan by background server
Including a part of corresponding session key and key identification.For example, background server calculates the corresponding IP address of client
Hash (Hash) value is mapped to a certain section of prestored secret key according to the hash value, this section of prestored secret key is that above-mentioned key chooses model
It encloses.In another example background server can also randomly choose one section of prestored secret key from the prestored secret key after segmentation, the section is selected
The prestored secret key selected is above-mentioned key selection range.
3, background server chooses one group of corresponding session key and key identification from key selection range.
By the above-mentioned means, can prevent background server from being dragged library, because of the session that the same IP address can be taken
Key is certain section of fixed range, rather than all prestored secret keys.
Step 406, background server encrypts session key and key identification using temporary key, obtains the second ciphertext.
Background server encrypts session key and key identification according to symmetric cryptography mode, using temporary key, obtains
Second ciphertext.
Step 407, background server sends Authentication Response to client, carries the second ciphertext in Authentication Response.
Correspondingly, client receives the Authentication Response that background server is sent.
Optionally, following steps can also be performed after the authentication request for receiving client transmission in background server:
Equipment where background server obtains client corresponding GUID (Globally UniqueIdentifier, globally unique identifier
Symbol);Obtain the corresponding authentication request number of GUID;Judge whether authentication request number is greater than preset threshold;If authentication request time
Number is greater than preset threshold, then refuses to respond the authentication request;If authentication request number is less than preset threshold, responds the authentication and ask
It asks, such as executes above-mentioned steps 404 to 407.Wherein, the corresponding GUID of equipment where client can be from the data packet of authentication request
Packet header in parse obtain.By the above-mentioned means, the authentication request number to same GUID limits, it can be in background service
When device is by frequent malicious attack, background server is effectively prevent to paralyse.
Step 408, client decrypts the second ciphertext using temporary key, obtains session key and key identification.
After client receives Authentication Response, according to symmetric cryptography mode, the second ciphertext is decrypted using temporary key,
Obtain session key and key identification.Later, client is just with the session key come between symmetric cryptography and background server
Content of Communication.In the conversation procedure of subsequent client and server, client is taken using session key pair and backstage
The data of session transmitted between business device carry out encryption and decryption, and background server uses to be transmitted between session key pair and client
The data of session carry out encryption and decryption.
In the following, the process of the data communication phase between client and background server is introduced and is illustrated.
Step 409 to 411 be uplink process, step 412 to 414 be downlink transmission process.
Step 409, client is encrypted using upstream data of the session key to session, obtains encrypted upstream data.
Upstream data refers to client to the data of backstage server transport.
Step 410, client sends upstream data packet to background server.
The packet header of upstream data packet carries key identification, and the backpack body of upstream data packet carries encrypted upstream data.
Correspondingly, background server receives the upstream data packet that client is sent.
Step 411, background server using session key corresponding with the key identification carried in packet header to encryption after
Upstream data decryption, obtain upstream data.
After background server receives upstream data packet, inquiry obtains the packet header with upstream data packet from prestored secret key
The corresponding session key of the key identification of middle carrying, then according to symmetric cryptography mode, the session key inquired using this
Encrypted upstream data is decrypted, upstream data is obtained.
Optionally, background server is before executing decryption oprerations, can also validity period to the session key inquired into
Row verifying, terminates process, if executing decryption oprerations without departing from validity period if having exceeded validity period.
Step 412, background server is encrypted using downlink data of the session key to session, obtains encrypted lower line number
According to.
Downlink data refers to data of the background server to client transmissions.
Step 413, background server sends downlink data packet to client.
The packet header of downlink data packet carries key identification, and the backpack body of downlink data packet carries encrypted downlink data.
Correspondingly, client receives the downlink data packet that background server is sent.
Step 414, client is using session key corresponding with the key identification carried in packet header under encrypted
Row data deciphering, obtains downlink data.
After client receives downlink data packet, inquiry obtains the key identification carried in the packet header with downlink data packet
Corresponding session key, then according to symmetric cryptography mode, using the session key inquired to encrypted lower line number
According to decryption, downlink data is obtained.
What is needed to add explanation is a little that background server can also obtain the initialization vector corresponding to session key
(Init Vector, IV), sends the initialization vector to client.The initialization vector for client using session key into
It is used when row symmetric cryptography and decryption.Correspondingly, client receives the initialization vector that background server is sent.For example, backstage
In the Authentication Response that server is sent to client, initialization vector is also carried.Initialization vector can be added using temporary key
It sends, can not also encrypt, the present embodiment is not construed as limiting this after close.Initialization vector can use random number by background server
Generator generates random number, and the random number and session key is combined to generate together.In use, initialization vector can root
Change according to related algorithm dynamic.Optionally, initialization vector is the byte stream of 12 bytes.By the above-mentioned means, making same
Session key, it is necessary to could complete to decrypt with the use of corresponding initialization vector, to realize that further optimization is reinforced.
In conclusion method provided in this embodiment, adds temporary key using asymmetric encryption mode by client
Background server is sent to after close, background server is decrypted after obtaining temporary key, using the temporary key to session key and
Key identification encrypts to obtain the second ciphertext, and the second ciphertext is sent to client, and client is close to second using temporary key
Text decryption, obtains session key and key identification, in order to which client is subsequent when conversating with background server, using meeting
The data for talking about key pair session carry out encryption and decryption;It solves in the prior art due to the number of sessions between client and server
It is quite huge, cause server to need to expend a large amount of resource come the problem of managing symmetric key;Compared to the prior art directly
Encryption and decryption is carried out using data of the symmetric key generated by client to session, the embodiment of the present invention is used by background server
The session key of offer carries out encryption and decryption to the data of session, so that background server only needs management session key, is not necessarily to
The key generated to a large amount of clients is managed, so that the complexity that background server is managed key is simplified, and
Facilitate the resource of saving background server.
In addition, also by the way that corresponding validity period is arranged for session key, in the case where session key does not exceed the time limit, even
Different sessions, client can be used the session key and carry out encryption and decryption to the data of session, without thinking highly of from background service
The new session key of new request, the processing expense and the communication resource of equipment and background server where saving client.
What is also needed to add explanation is a bit, it is contemplated that be using the speed that rivest, shamir, adelman is decrypted it is slower,
Speed is decrypted usually in 2200 time/second of single thread or so, therefore the mode of multi-threaded parallel decryption can be used, so that background service
Device does not become system bottleneck in the case where not putting into many machines.In addition, if using OpenSLL (Open Secure
Sockets Layer, Open Security are socketed layer protocol) library, due to the library OpenSLL non-multithreaded safety, a service
Process can only have a thread to complete decryption work, multi-threaded parallel, it is necessary to multiple processes be run, in this way to exploitation and hair
Cloth is all affected, it has not been convenient to safeguard.In embodiments of the present invention, code tune is carried out for the rsa function api in the library OpenSLL
It is whole, the unsafe step of multithreading is separated to realize, safe place is put it to and calls, the step of remaining safety, Ji Kewei
It is called in multi-thread environment, to reach the requirement of multi-threaded parallel decryption.
In above method embodiment, the key pipe as client-side can be implemented separately in relation to client-side the step of
The key management method as background server side can be implemented separately in relation to the step of background server side for reason method.
In the following, application scenarios as shown in connection with fig. 2, are introduced and say to technical solution provided in an embodiment of the present invention
It is bright.
Fig. 5 shows the flow chart of authorization phase.As shown in figure 5, authorization phase may include the following steps.
Step 501, client generates temporary key.
Step 502, client encrypts temporary key using the public key that Authentication Center server provides, and it is close to obtain first
Key.
Step 503, client sends authentication request to access server, carries the first ciphertext in authentication request.
Correspondingly, access server receives the authentication request that client is sent.
Step 504, access server forwards authentication request to Authentication Center server.
Correspondingly, Authentication Center server receives the authentication request that access server is sent.
Step 505, Authentication Center server decrypts the first ciphertext using private key corresponding with public key, obtains interim close
Key.
Step 506, Authentication Center server obtains session key and key identification.
Wherein, key identification is for identifying session key, and session key is for the data encryption to session.
In one example, step 506 includes following sub-step:
Step 506a, Authentication Center server generate session key using random number generator;
Step 506b, Authentication Center server send session key to Key Management server;
Correspondingly, Key Management server receives the session key that Authentication Center server is sent;
Step 506c, Key Management server generate the key identification for corresponding to session key;
Step 506d, the corresponding storage key identification of Key Management server and session key;
Step 506e, Key Management server send key identification to Authentication Center server;
Correspondingly, Authentication Center server receives the key identification that Key Management server is sent.
In another example, step 506 includes following sub-step:
Step 506f, Authentication Center server choose one group of corresponding session key and key identification from prestored secret key.
It wherein, include at least one set of corresponding session key and key identification in prestored secret key.Prestored secret key can be by close
Key management server is pre-generated, and is supplied to Authentication Center server.For example, prestored secret key is written Key Management server
In file destination, and file destination is sent to Authentication Center server.It, will be in file destination after the starting of Authentication Center server
Prestored secret key be loaded onto memory, therefrom choose one group of corresponding session key and key identification at random every time.
Step 507, Authentication Center server encrypts session key and key identification using temporary key, and it is close to obtain second
Text.
Step 508, Authentication Center server sends Authentication Response to access server, and it is close to carry second in Authentication Response
Text.
Correspondingly, access server receives the Authentication Response that Authentication Center server is sent.
Step 509, access server forwards Authentication Response to client.
Correspondingly, client receives the Authentication Response that access server is sent.
Step 510, client decrypts the second ciphertext using temporary key, obtains session key and key identification.
Fig. 6 shows the flow chart of data communication phase.As shown in fig. 6, data communication phase may include following several steps
Suddenly.
Step 601, client is encrypted using upstream data of the session key to session, obtains encrypted upstream data.
Step 602, client sends upstream data packet to access server.
The packet header of upstream data packet carries key identification, and the backpack body of upstream data packet carries encrypted upstream data.
Correspondingly, access server receives the upstream data packet that client is sent.
Step 603, access server inquiry obtains session key corresponding with the key identification carried in packet header.
In one example, step 603 includes following sub-step:
Step 603a, access server obtain corresponding with the key identification carried in packet header from inquiry in local cache
Session key.
For example, access server obtains preset-key from Key Management server in advance, and store into local cache.
In another example, step 603 includes following sub-step:
Step 603b, access server send inquiry request to Key Management server, carry the packet in inquiry request
The key identification carried in head;
Correspondingly, Key Management server receives the inquiry request that access server is sent;
Step 603c, the key identification that Key Management server is carried from inquiry acquisition in preset-key and inquiry request
Corresponding session key;
Step 603d, Key Management server send inquiry response to access server, carry its inquiry in inquiry response
Obtained session key;
Correspondingly, access server receives the inquiry response that Key Management server is sent.
Step 604, access server decrypts encrypted upstream data using the session key that inquiry obtains, and obtains
Row data.
Step 605, access server sends upstream data to service server.
Correspondingly, service server receives the upstream data that access server is sent.
In one example, upstream data is sent to service server by access server in plain text.In another example, it connects
Enter server and use the cipher mode and key consulted in advance with service server, is sent to business after upstream data is encrypted
Server.
After service server receives upstream data, which is handled, when necessary to client feedback
Return packet.
Step 606, service server sends downlink data to access server.
Correspondingly, access server receives the downlink data that service server is sent.
In one example, downlink data is sent to access server by service server in plain text.In another example, industry
Business server uses the cipher mode and key consulted in advance with access server, and access is sent to after downlink data is encrypted
Server.
Step 607, access server using inquiry obtain session key to downlink data encrypt, obtain it is encrypted under
Row data.
Step 608, access server sends downlink data packet to client.
The packet header of downlink data packet carries key identification, and the backpack body of downlink data packet carries encrypted downlink data.
Correspondingly, client receives the downlink data packet that access server is sent.
Step 609, client is using session key corresponding with the key identification carried in packet header under encrypted
Row data deciphering, obtains downlink data.
Following is apparatus of the present invention embodiment, can be used for executing embodiment of the present invention method.For apparatus of the present invention reality
Undisclosed details in example is applied, embodiment of the present invention method is please referred to.
Referring to FIG. 7, it illustrates the block diagrams of key management apparatus provided by one embodiment of the present invention.The device has
Realize that the function of the key management method of above-mentioned client-side, the function can also pass through hardware by hardware realization
Execute corresponding software realization.The apparatus may include: key production module 710, the first encrypting module 720, request send mould
Block 730, response receiving module 740 and the first deciphering module 750.
Key production module 710, for generating temporary key.
First encrypting module 720, the public key for being provided using background server encrypt the temporary key, obtain the
One ciphertext.
Request sending module 730 carries institute in the authentication request for sending authentication request to the background server
State the first ciphertext.
Receiving module 740 is responded, for receiving the Authentication Response of the background server transmission, is taken in the Authentication Response
The second ciphertext of band, second ciphertext are the ciphertexts encrypted using the temporary key to session key and key identification.
Wherein, the key identification is for identifying session key, and the session key is for the data encryption to the session.
It is close to obtain the session for decrypting using the temporary key to second ciphertext for first deciphering module 750
Key and the key identification.
In conclusion device provided in this embodiment, adds temporary key using asymmetric encryption mode by client
It is sent to background server after close, receives it from background server and temporary key is used to encrypt session key and key identification
The second ciphertext arrived, and the second ciphertext is decrypted using temporary key, session key and key identification are obtained, in order to client
It is subsequent when conversating with background server, encryption and decryption is carried out to the data of session using session key;Solves existing skill
Since the number of sessions between client and server is quite huge in art, causes server to need to expend a large amount of resource and carry out pipe
The problem of managing symmetric key;The symmetric key generated by client is directlyed adopt compared to the prior art to carry out the data of session
Encryption and decryption, the embodiment of the present invention use the session key provided by background server to carry out encryption and decryption to the data of session, so that
Background server only needs management session key, and the key without generating to a large amount of clients is managed, to simplify
The complexity that background server is managed key, and help to save the resource of background server.
Referring to FIG. 8, it illustrates another embodiment of the present invention provides key management apparatus block diagram.The device has
Realize that the function of the key management method of above-mentioned background server side, the function can also pass through by hardware realization
Hardware executes corresponding software realization.The apparatus may include: request receiving module 810, the second deciphering module 820, key obtain
Modulus block 830, the second encrypting module 840 and response sending module 850.
It is close to carry first for receiving the authentication request of client transmission, in the authentication request for request receiving module 810
Text, first ciphertext are the ciphertexts that the public key provided using local terminal encrypts temporary key.
Second deciphering module 820 obtains institute for decrypting using private key corresponding with the public key to first ciphertext
State temporary key.
Key Acquisition Module 830, for obtaining session key and key identification.Wherein, the key identification is for identifying
Session key, the session key is for the data encryption to the session.
Second encrypting module 840, for being encrypted using the temporary key to the session key and the key identification,
Obtain the second ciphertext.
Sending module 850 is responded, for sending Authentication Response to the client, described the is carried in the Authentication Response
Two ciphertexts.
In conclusion device provided in this embodiment, adds temporary key using asymmetric encryption mode by client
Background server is sent to after close, background server is decrypted after obtaining temporary key, using the temporary key to session key and
Key identification encrypts to obtain the second ciphertext, and the second ciphertext is sent to client, takes in order to which client is subsequent with backstage
When business device conversates, encryption and decryption is carried out using data of the session key to session;It solves in the prior art due to client
Number of sessions between server is quite huge, and server is caused to need to expend a large amount of resource to manage asking for symmetric key
Topic;The symmetric key generated by client is directlyed adopt compared to the prior art, and encryption and decryption, the present invention are carried out to the data of session
Embodiment uses the session key provided by background server to carry out encryption and decryption to the data of session, so that background server only needs
Session key is managed, the key without generating to a large amount of clients is managed, to simplify background server to close
The complexity that key is managed, and help to save the resource of background server.
Referring to FIG. 9, it illustrates the block diagrams of key management system provided by one embodiment of the present invention.The system packet
It includes: client 700 and background server 800.
Client 700 may include key management apparatus.The device has the key management side for realizing above-mentioned client-side
The function of method, the function can also execute corresponding software realization by hardware realization by hardware.The device can be with
It include: key production module 710, the first encrypting module 720, request sending module 730, response receiving module 740 and the first solution
Close module 750.
Key production module 710, for generating temporary key.
First encrypting module 720, the public key for being provided using background server 800 encrypt the temporary key, obtain
To the first ciphertext.
Request sending module 730 is taken in the authentication request for sending authentication request to the background server 800
With first ciphertext.
Receiving module 740 is responded, the Authentication Response sent for receiving the background server 800, the Authentication Response
The second ciphertext of middle carrying, second ciphertext be using the temporary key session key and key identification are encrypted it is close
Text.Wherein, the key identification is for identifying session key, and the session key is for the data encryption to the session.
It is close to obtain the session for decrypting using the temporary key to second ciphertext for first deciphering module 750
Key and the key identification.
Optionally, described device further include: upstream data encrypting module 762 and upstream data sending module 764.
Upstream data encrypting module 762 is obtained for being encrypted using upstream data of the session key to the session
Encrypted upstream data.
Upstream data sending module 764, for sending upstream data packet, the upper line number to the background server 800
The key identification is carried according to the packet header of packet, the backpack body of the upstream data packet carries the encrypted upstream data.
Optionally, described device further include: downlink data receiving module 766 and downlink data deciphering module 768.
Downlink data receiving module 766, the downlink data packet sent for receiving the background server 800, under described
The packet header of row data packet carries the key identification, and the backpack body of the downlink data packet carries encrypted downlink data.
Downlink data deciphering module 768, for using meeting corresponding with the key identification carried in the packet header
Encrypted downlink data decryption described in key pair is talked about, downlink data is obtained.
In one example, the key production module 710, it is described interim close for being generated using random number generator
Key.
Optionally, described device further include: vector receiving module 770.
Vector receiving module 770, for receive that the background server 800 sends correspond to the session key just
Beginningization vector, the initialization vector use when carrying out symmetric cryptography and decryption using the session key for local terminal.
Background server 800 may include key management apparatus.The device, which has, realizes the close of above-mentioned background server side
The function of key management method, the function can also execute corresponding software realization by hardware realization by hardware.It should
Device may include: request receiving module 810, the second deciphering module 820, Key Acquisition Module 830, the second encrypting module 840
With response sending module 850.
Request receiving module 810 carries for receiving the authentication request of the transmission of client 700, in the authentication request
One ciphertext, first ciphertext are the ciphertexts that the public key provided using local terminal encrypts temporary key.
Second deciphering module 820 obtains institute for decrypting using private key corresponding with the public key to first ciphertext
State temporary key.
Key Acquisition Module 830, for obtaining session key and key identification.Wherein, the key identification is for identifying
Session key, the session key is for the data encryption to the session.
Second encrypting module 840, for being encrypted using the temporary key to the session key and the key identification,
Obtain the second ciphertext.
Sending module 850 is responded, for sending Authentication Response to the client 700, carries institute in the Authentication Response
State the second ciphertext.
In one example, the Key Acquisition Module 830, it is close for generating the session using random number generator
Key generates the key identification for corresponding to the session key.
In another example, the Key Acquisition Module 830, it is close for choosing one group of corresponding session from prestored secret key
Key and key identification.It wherein, include at least one set of corresponding session key and key identification in the prestored secret key.
Optionally, the Key Acquisition Module 830, comprising: address acquisition unit, range determination unit and key are chosen single
Member.
Address acquisition unit, for obtaining the corresponding IP address of the client 700.
Range determination unit, for determining that key selection range, the key selection range include according to the IP address
The corresponding session key in part and key identification in the prestored secret key.
Key selection unit, for choosing one group of corresponding session key and key mark from the key selection range
Know.
Optionally, described device further include: upstream data receiving module 862 and upstream data deciphering module 864.
Upstream data receiving module 862, the upstream data packet sent for receiving the client 700, the upper line number
The key identification is carried according to the packet header of packet, the backpack body of the upstream data packet carries encrypted upstream data.
Upstream data deciphering module 864, for using meeting corresponding with the key identification carried in the packet header
Encrypted upstream data decryption described in key pair is talked about, upstream data is obtained.
Optionally, described device further include: downlink data encrypting module 866 and downlink data sending module 868.
Downlink data encrypting module 866 is obtained for being encrypted using downlink data of the session key to the session
Encrypted downlink data.
Downlink data sending module 868, for sending downlink data packet, the downlink data packet to the client 700
Packet header carry the key identification, the backpack body of the downlink data packet carries the encrypted downlink data.
Optionally, described device further include: identifier acquisition module 812 and number obtain module 814.
Identifier acquisition module 812, for obtaining the corresponding GUID of the 700 place equipment of client.
Number obtains module 814, for obtaining the corresponding authentication request number of the GUID.
Second deciphering module 820, be also used to when the authentication request number be less than preset threshold when, using with it is described
The corresponding private key of public key decrypts first ciphertext, obtains the temporary key.
Optionally, described device further include: vector obtains module 870 and vector sending module 880.
Vector obtains module 870, for obtaining the initialization vector for corresponding to the session key.
Vector sending module 880, for sending the initialization vector, the initialization vector to the client 700
It is used when carrying out symmetric cryptography and decryption using the session key for the client 700.
In conclusion system provided in this embodiment, adds temporary key using asymmetric encryption mode by client
Background server is sent to after close, background server is decrypted after obtaining temporary key, using the temporary key to session key and
Key identification encrypts to obtain the second ciphertext, and the second ciphertext is sent to client, and client is close to second using temporary key
Text decryption, obtains session key and key identification, in order to which client is subsequent when conversating with background server, using meeting
The data for talking about key pair session carry out encryption and decryption;It solves in the prior art due to the number of sessions between client and server
It is quite huge, cause server to need to expend a large amount of resource come the problem of managing symmetric key;Compared to the prior art directly
Encryption and decryption is carried out using data of the symmetric key generated by client to session, the embodiment of the present invention is used by background server
The session key of offer carries out encryption and decryption to the data of session, so that background server only needs management session key, is not necessarily to
The key generated to a large amount of clients is managed, so that the complexity that background server is managed key is simplified, and
Facilitate the resource of saving background server.
It should be understood that device provided by the above embodiment is when realizing its function, only with above-mentioned each functional module
It divides and carries out for example, can according to need in practical application and be completed by different functional modules above-mentioned function distribution,
The internal structure of equipment is divided into different functional modules, to complete all or part of the functions described above.In addition,
Apparatus and method embodiment provided by the above embodiment belongs to same design, and specific implementation process is detailed in embodiment of the method, this
In repeat no more.
Referring to FIG. 10, it illustrates the structural schematic diagrams of terminal provided by one embodiment of the present invention.The terminal is used for
The key management method of the client-side provided in above-described embodiment is provided.Specifically:
Terminal 1000 may include RF (Radio Frequency, radio frequency) circuit 1010, include one or more
Memory 1020, input unit 1030, display unit 1040, the sensor 1050, voicefrequency circuit of computer readable storage medium
1060, WiFi (wireless fidelity, Wireless Fidelity) module 1070, include one or more than one processing core
Processor 1080 and the components such as power supply 1090.It will be understood by those skilled in the art that terminal structure shown in Figure 10 is simultaneously
The not restriction of structure paired terminal may include perhaps combining certain components or different than illustrating more or fewer components
Component layout.Wherein:
RF circuit 1010 can be used for receiving and sending messages or communication process in, signal sends and receivees, particularly, by base station
After downlink information receives, one or the processing of more than one processor 1080 are transferred to;In addition, the data for being related to uplink are sent to
Base station.In general, RF circuit 1010 include but is not limited to antenna, at least one amplifier, tuner, one or more oscillator,
It is subscriber identity module (SIM) card, transceiver, coupler, LNA (Low Noise Amplifier, low-noise amplifier), double
Work device etc..In addition, RF circuit 1010 can also be communicated with network and other equipment by wireless communication.The wireless communication can be with
Using any communication standard or agreement, including but not limited to GSM (Global System of Mobile communication,
Global system for mobile communications), GPRS (General Packet Radio Service, general packet radio service), CDMA
(Code Division Multiple Access, CDMA), WCDMA (Wideband CodeDivision Multiple
Access, wideband code division multiple access), LTE (Long Term Evolution, long term evolution), Email, SMS (Short
Messaging Service, short message service) etc..
Memory 1020 can be used for storing software program and module, and processor 1080 is stored in memory by operation
1020 software program and module, thereby executing various function application and data processing.Memory 1020 can mainly include
Storing program area and storage data area, wherein storing program area can application journey needed for storage program area, at least one function
Sequence (such as sound-playing function, image player function etc.) etc.;Storage data area can be stored is created according to using for terminal 1000
Data (such as audio data, phone directory etc.) built etc..In addition, memory 1020 may include high-speed random access memory,
It can also include nonvolatile memory, a for example, at least disk memory, flush memory device or other volatile solid-states are deposited
Memory device.Correspondingly, memory 1020 can also include Memory Controller, to provide processor 1080 and input unit 1030
Access to memory 1020.
Input unit 1030 can be used for receiving the number or character information of input, and generate and user setting and function
Control related keyboard, mouse, operating stick, optics or trackball signal input.Specifically, input unit 1030 may include figure
As input equipment 1031 and other input equipments 1032.Image input device 1031 can be camera, be also possible to photoelectricity
Scanning device.In addition to image input device 1031, input unit 1030 can also include other input equipments 1032.Specifically,
Other input equipments 1032 can include but is not limited to physical keyboard, function key (such as volume control button, switch key etc.),
One of trace ball, mouse, operating stick etc. are a variety of.
Display unit 1040 can be used for showing information input by user or the information and terminal 1000 that are supplied to user
Various graphical user interface, these graphical user interface can be by figure, text, icon, video and any combination thereof come structure
At.Display unit 1040 may include display panel 1041, optionally, can using LCD (Liquid Crystal Display,
Liquid crystal display), the forms such as OLED (Organic Light-Emitting Diode, Organic Light Emitting Diode) configure display
Panel 1041.
Terminal 1000 may also include at least one sensor 1050, such as optical sensor, motion sensor and other biographies
Sensor.Specifically, optical sensor may include ambient light sensor and proximity sensor, wherein ambient light sensor can be according to ring
The light and shade of border light adjusts the brightness of display panel 1041, and proximity sensor can close when terminal 1000 is moved in one's ear
Display panel 1041 and/or backlight.As a kind of motion sensor, gravity accelerometer can detect in all directions
The size of (generally three axis) acceleration, can detect that size and the direction of gravity, can be used to identify mobile phone posture when static
It (for example pedometer, is struck using (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating), Vibration identification correlation function
Hit) etc.;Other biographies such as gyroscope, barometer, hygrometer, thermometer, infrared sensor for can also configure as terminal 1000
Sensor, details are not described herein.
Voicefrequency circuit 1060, loudspeaker 1061, microphone 1062 can provide the audio interface between user and terminal 1000.
Electric signal after the audio data received conversion can be transferred to loudspeaker 1061, by loudspeaker 1061 by voicefrequency circuit 1060
Be converted to voice signal output;On the other hand, the voice signal of collection is converted to electric signal by microphone 1062, by voicefrequency circuit
1060 receive after be converted to audio data, then by after the processing of audio data output processor 1080, through RF circuit 1010 to send
It exports to memory 1020 to such as another terminal, or by audio data to be further processed.Voicefrequency circuit 1060 may be used also
It can include earphone jack, to provide the communication of peripheral hardware earphone Yu terminal 1000.
WiFi belongs to short range wireless transmission technology, and terminal 1000 can help user to receive and dispatch electricity by WiFi module 1070
Sub- mail, browsing webpage and access streaming video etc., it provides wireless broadband internet access for user.Although Figure 10 shows
Go out WiFi module 1070, but it is understood that, and it is not belonging to must be configured into for terminal 1000, it completely can be according to need
It to omit within the scope of not changing the essence of the invention.
Processor 1080 is the control centre of terminal 1000, utilizes each portion of various interfaces and connection whole mobile phone
Point, by running or execute the software program and/or module that are stored in memory 1020, and calls and be stored in memory
Data in 1020 execute the various functions and processing data of terminal 1000, to carry out integral monitoring to mobile phone.Optionally,
Processor 1080 may include one or more processing cores;Preferably, processor 1080 can integrate application processor and modulatedemodulate
Adjust processor, wherein the main processing operation system of application processor, user interface and application program etc., modem processor
Main processing wireless communication.It is understood that above-mentioned modem processor can not also be integrated into processor 1080.
Terminal 1000 further includes the power supply 1090 (such as battery) powered to all parts, it is preferred that power supply can pass through
Power-supply management system and processor 1080 are logically contiguous, to realize management charging, electric discharge, Yi Jigong by power-supply management system
The functions such as consumption management.Power supply 1090 can also include one or more direct current or AC power source, recharging system, power supply
The random components such as fault detection circuit, power adapter or inverter, power supply status indicator.
Although being not shown, terminal 1000 can also be including bluetooth module etc., and details are not described herein.
Specifically in the present embodiment, terminal 1000 further includes having memory and one or more than one program,
In one perhaps more than one program be stored in memory and be configured to be executed by one or more than one processor.
Said one or more than one program include the instruction for executing the key management method of above-mentioned client-side.
Figure 11 is please referred to, it illustrates the structural schematic diagrams of server provided by one embodiment of the present invention.The server
The key management method of background server side for implementing to provide in above-described embodiment.Specifically:
The server 1100 includes 1102 He of central processing unit (CPU) 1101 including random access memory (RAM)
The system storage 1104 of read-only memory (ROM) 1103, and connection system storage 1104 and central processing unit 1101
System bus 1105.The server 1100 further includes that the substantially defeated of information is transmitted between each device helped in computer
Enter/output system (I/O system) 1106, and is used for storage program area 1113, application program 1114 and other program modules
1115 mass-memory unit 1107.
The basic input/output 1106 includes display 1108 for showing information and inputs for user
The input equipment 1109 of such as mouse, keyboard etc of information.Wherein the display 1108 and input equipment 1109 all pass through
The input and output controller 1110 for being connected to system bus 1105 is connected to central processing unit 1101.The basic input/defeated
System 1106 can also include input and output controller 1110 to touch for receiving and handling from keyboard, mouse or electronics out
Control the input of multiple other equipment such as pen.Similarly, input and output controller 1110 also provide output to display screen, printer or
Other kinds of output equipment.
The mass-memory unit 1107 (is not shown by being connected to the bulk memory controller of system bus 1105
It is connected to central processing unit 1101 out).The mass-memory unit 1107 and its associated computer-readable medium are
Server 1100 provides non-volatile memories.That is, the mass-memory unit 1107 may include such as hard disk or
The computer-readable medium (not shown) of person's CD-ROM drive etc.
Without loss of generality, the computer-readable medium may include computer storage media and communication media.Computer
Storage medium includes information such as computer readable instructions, data structure, program module or other data for storage
The volatile and non-volatile of any method or technique realization, removable and irremovable medium.Computer storage medium includes
RAM, ROM, EPROM, EEPROM, flash memory or other solid-state storages its technologies, CD-ROM, DVD or other optical storages, tape
Box, tape, disk storage or other magnetic storage devices.Certainly, skilled person will appreciate that the computer storage medium
It is not limited to above-mentioned several.Above-mentioned system storage 1104 and mass-memory unit 1107 may be collectively referred to as memory.
According to various embodiments of the present invention, the server 1100 can also be arrived by network connections such as internets
Remote computer operation on network.Namely server 1100 can be connect by the network being connected on the system bus 1105
Mouth unit 1111 is connected to network 1112, in other words, it is other kinds of to be connected to that Network Interface Unit 1111 also can be used
Network or remote computer system (not shown).
The memory further includes that one or more than one program, the one or more programs are stored in
In memory, and it is configured to be executed by one or more than one processor.Said one or more than one program include
For executing the instruction of the key management method of above-mentioned background server side.
It should be understood that referenced herein " multiple " refer to two or more."and/or", description association
The incidence relation of object indicates may exist three kinds of relationships, for example, A and/or B, can indicate: individualism A exists simultaneously A
And B, individualism B these three situations.Character "/" typicallys represent the relationship that forward-backward correlation object is a kind of "or".
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Those of ordinary skill in the art will appreciate that realizing that all or part of the steps of above-described embodiment can pass through hardware
It completes, relevant hardware can also be instructed to complete by program, the program can store in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only memory, disk or CD etc..
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all in spirit of the invention and
Within principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (27)
1. a kind of key management method, which is characterized in that the described method includes:
Generate temporary key;
The temporary key is encrypted using the public key that background server provides, obtains the first ciphertext;
Authentication request is sent to the background server, carries first ciphertext in the authentication request;
The Authentication Response that the background server is sent is received, carries the second ciphertext, second ciphertext in the Authentication Response
It is the ciphertext encrypted using the temporary key to session key and key identification;Wherein, the temporary key is described
Background server detects that the GUID is corresponding after obtaining the corresponding globally unique identifier GUID of equipment where client
First ciphertext is decrypted using private key corresponding with the public key when authentication request number is less than preset threshold, institute
Key identification is stated for identifying the session key, the session key is for the data encryption to the session;
Second ciphertext is decrypted using the temporary key, obtains the session key and the key identification.
2. the method according to claim 1, wherein described use the temporary key to the second ciphertext solution
It is close, after obtaining the session key and the key identification, further includes:
It is encrypted using upstream data of the session key to the session, obtains encrypted upstream data;
Upstream data packet is sent to the background server, the packet header of the upstream data packet carries the key identification, described
The backpack body of upstream data packet carries the encrypted upstream data.
3. the method according to claim 1, wherein described use the temporary key to the second ciphertext solution
It is close, after obtaining the session key and the key identification, further includes:
The downlink data packet that the background server is sent is received, the packet header of the downlink data packet carries the key identification,
The backpack body of the downlink data packet carries encrypted downlink data;
Using session key corresponding with the key identification carried in the packet header to the encrypted downlink data
Decryption, obtains downlink data.
4. the method according to claim 1, wherein the generation temporary key, comprising:
The temporary key is generated using random number generator.
5. the method according to claim 1, wherein the method also includes:
The initialization vector corresponding to the session key that the background server is sent is received, the initialization vector is for this
End uses when carrying out symmetric cryptography and decryption using the session key.
6. a kind of key management method, which is characterized in that the described method includes:
The authentication request that client is sent is received, the first ciphertext is carried in the authentication request, first ciphertext is using this
The ciphertext that the public key that end provides encrypts temporary key;
The corresponding globally unique identifier GUID of equipment where obtaining the client;
Obtain the corresponding authentication request number of the GUID;
If the authentication request number is less than preset threshold, using private key corresponding with the public key to the first ciphertext solution
It is close, obtain the temporary key;
Obtain session key and key identification;Wherein, for identifying session key, the session key is used for the key identification
Data encryption to the session;
The session key and the key identification are encrypted using the temporary key, obtain the second ciphertext;
Authentication Response is sent to the client, carries second ciphertext in the Authentication Response.
7. according to the method described in claim 6, it is characterized in that, the acquisition session key and key identification, comprising:
The session key is generated using random number generator;
Generate the key identification for corresponding to the session key.
8. according to the method described in claim 6, it is characterized in that, the acquisition session key and key identification, comprising:
One group of corresponding session key and key identification are chosen from prestored secret key;
It wherein, include at least one set of corresponding session key and key identification in the prestored secret key.
9. according to the method described in claim 8, it is characterized in that, described to choose one group of corresponding session from prestored secret key close
Key and key identification, comprising:
Obtain the corresponding internet protocol address of the client;
Determine that key selection range, the key selection range include the part phase in the prestored secret key according to the IP address
Corresponding session key and key identification;
One group of corresponding session key and key identification are chosen from the key selection range.
10. according to the method described in claim 6, it is characterized in that, being gone back after the transmission Authentication Response to the client
Include:
The upstream data packet that the client is sent is received, the packet header of the upstream data packet carries the key identification, described
The backpack body of upstream data packet carries encrypted upstream data;
Using session key corresponding with the key identification carried in the packet header to the encrypted upstream data
Decryption, obtains upstream data.
11. according to the method described in claim 6, it is characterized in that, being gone back after the transmission Authentication Response to the client
Include:
It is encrypted using downlink data of the session key to the session, obtains encrypted downlink data;
Downlink data packet is sent to the client, the packet header of the downlink data packet carries the key identification, the downlink
The backpack body of data packet carries the encrypted downlink data.
12. according to the method described in claim 6, it is characterized in that, the method also includes:
Obtain the initialization vector for corresponding to the session key;
The initialization vector is sent to the client, the initialization vector uses the session key for the client
Used when symmetric cryptography and decryption.
13. a kind of key management apparatus, which is characterized in that described device includes:
Key production module, for generating temporary key;
First encrypting module, the public key for being provided using background server encrypt the temporary key, obtain the first ciphertext;
Request sending module carries described first in the authentication request for sending authentication request to the background server
Ciphertext;
Receiving module is responded, for receiving the Authentication Response of the background server transmission, carries second in the Authentication Response
Ciphertext, second ciphertext are the ciphertexts encrypted using the temporary key to session key and key identification;Wherein, institute
Stating temporary key is the background server after obtaining the corresponding globally unique identifier GUID of equipment where client, detection
Using private key corresponding with the public key to described first when the corresponding authentication request number of the GUID is less than preset threshold out
What ciphertext was decrypted, the key identification is used for the data to the session for identifying session key, the session key
Encryption;
First deciphering module obtains the session key and institute for decrypting using the temporary key to second ciphertext
State key identification.
14. device according to claim 13, which is characterized in that described device further include:
Upstream data encrypting module, for being encrypted using upstream data of the session key to the session, after obtaining encryption
Upstream data;
Upstream data sending module, for sending upstream data packet, the packet header of the upstream data packet to the background server
The key identification is carried, the backpack body of the upstream data packet carries the encrypted upstream data.
15. device according to claim 13, which is characterized in that described device further include:
Downlink data receiving module, the downlink data packet sent for receiving the background server, the downlink data packet
Packet header carries the key identification, and the backpack body of the downlink data packet carries encrypted downlink data;
Downlink data deciphering module, for using session key pair corresponding with the key identification carried in the packet header
The encrypted downlink data decryption, obtains downlink data.
16. device according to claim 13, which is characterized in that
The key production module, for generating the temporary key using random number generator.
17. device according to claim 13, which is characterized in that described device further include:
Vector receiving module, the initialization vector corresponding to the session key sent for receiving the background server,
The initialization vector uses when carrying out symmetric cryptography and decryption using the session key for local terminal.
18. a kind of key management apparatus, which is characterized in that described device includes:
Request receiving module carries the first ciphertext for receiving the authentication request of client transmission, in the authentication request, described
First ciphertext is the ciphertext that the public key provided using local terminal encrypts temporary key;
Identifier acquisition module, for the corresponding globally unique identifier GUID of equipment where obtaining the client;
Number obtains module, for obtaining the corresponding authentication request number of the GUID;
Second deciphering module is used for when the authentication request number is less than preset threshold, using private corresponding with the public key
Key decrypts first ciphertext, obtains the temporary key;
Key Acquisition Module, for obtaining session key and key identification;Wherein, the key identification is close for identifying session
Key, the session key is for the data encryption to the session;
Second encrypting module obtains for encrypting using the temporary key to the session key and the key identification
Two ciphertexts;
Sending module is responded, for sending Authentication Response to the client, carries second ciphertext in the Authentication Response.
19. device according to claim 18, which is characterized in that
The Key Acquisition Module generates for generating the session key using random number generator and corresponds to the session
The key identification of key.
20. device according to claim 18, which is characterized in that
The Key Acquisition Module, for choosing one group of corresponding session key and key identification from prestored secret key;
It wherein, include at least one set of corresponding session key and key identification in the prestored secret key.
21. device according to claim 20, which is characterized in that the Key Acquisition Module, comprising:
Address acquisition unit, for obtaining the corresponding internet protocol address of the client;
Range determination unit, for determining that key selection range, the key selection range include described according to the IP address
The corresponding session key in part and key identification in prestored secret key;
Key selection unit, for choosing one group of corresponding session key and key identification from the key selection range.
22. device according to claim 18, which is characterized in that described device further include:
Upstream data receiving module, the upstream data packet sent for receiving the client, the packet header of the upstream data packet
The key identification is carried, the backpack body of the upstream data packet carries encrypted upstream data;
Upstream data deciphering module, for using session key pair corresponding with the key identification carried in the packet header
The encrypted upstream data decryption, obtains upstream data.
23. device according to claim 18, which is characterized in that described device further include:
Downlink data encrypting module, for being encrypted using downlink data of the session key to the session, after obtaining encryption
Downlink data;
Downlink data sending module, for sending downlink data packet to the client, the packet header of the downlink data packet is carried
The backpack body of the key identification, the downlink data packet carries the encrypted downlink data.
24. device according to claim 18, which is characterized in that described device further include:
Vector obtains module, for obtaining the initialization vector for corresponding to the session key;
Vector sending module, for sending the initialization vector to the client, the initialization vector supplies the client
End uses when carrying out symmetric cryptography and decryption using the session key.
25. a kind of key management system, which is characterized in that the system comprises: client and background server;
The client includes such as the described in any item key management apparatus of claim 13 to 17;
The background server includes such as the described in any item key management apparatus of claim 18 to 24.
26. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has program, institute
Program is stated to be executed by processor to realize such as key management method described in any one of claim 1 to 5.
27. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has program, institute
Program is stated to be executed by processor to realize such as the described in any item key management methods of claim 6 to 11.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610579122.XA CN106712932B (en) | 2016-07-20 | 2016-07-20 | Key management method, apparatus and system |
PCT/CN2017/091646 WO2018014723A1 (en) | 2016-07-20 | 2017-07-04 | Key management method, apparatus, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610579122.XA CN106712932B (en) | 2016-07-20 | 2016-07-20 | Key management method, apparatus and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106712932A CN106712932A (en) | 2017-05-24 |
CN106712932B true CN106712932B (en) | 2019-03-19 |
Family
ID=58939709
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610579122.XA Active CN106712932B (en) | 2016-07-20 | 2016-07-20 | Key management method, apparatus and system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106712932B (en) |
WO (1) | WO2018014723A1 (en) |
Families Citing this family (39)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106712932B (en) * | 2016-07-20 | 2019-03-19 | 腾讯科技(深圳)有限公司 | Key management method, apparatus and system |
CN107493281A (en) * | 2017-08-16 | 2017-12-19 | 海信集团有限公司 | encryption communication method and device |
CN109698935A (en) * | 2017-10-24 | 2019-04-30 | 中国移动通信有限公司研究院 | Monitor video encrypting and decrypting method and device, equipment, storage medium, system |
CN107896147B (en) * | 2017-12-07 | 2020-07-28 | 福建联迪商用设备有限公司 | Method and system for negotiating temporary session key based on national cryptographic algorithm |
CN109962767A (en) * | 2017-12-25 | 2019-07-02 | 航天信息股份有限公司 | A kind of safety communicating method |
CN108566365B (en) * | 2018-01-22 | 2020-09-22 | 成都清轻信息技术有限公司 | Intelligent door lock opening method based on sound wave technology |
CN109150865A (en) * | 2018-08-07 | 2019-01-04 | 厦门市美亚柏科信息股份有限公司 | A kind of protection, device and the storage medium of mobile terminal APP communications protocol |
CN109067814B (en) * | 2018-10-31 | 2021-04-20 | 苏州科达科技股份有限公司 | Media data encryption method, system, device and storage medium |
CN109547471B (en) * | 2018-12-24 | 2021-10-26 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Network communication method and device |
CN109831432B (en) * | 2019-01-30 | 2021-06-01 | 重庆农村商业银行股份有限公司 | Third-party secure access method in application form of service provider H5 |
CN110601825B (en) * | 2019-08-29 | 2022-09-30 | 北京思源理想控股集团有限公司 | Ciphertext processing method and device, storage medium and electronic device |
CN110688646B (en) * | 2019-10-14 | 2021-12-03 | 广州麦仑信息科技有限公司 | Multi-server cluster security authentication method applied to palm vein recognition |
CN110890968B (en) * | 2019-10-24 | 2022-08-23 | 成都卫士通信息产业股份有限公司 | Instant messaging method, device, equipment and computer readable storage medium |
CN110995685B (en) * | 2019-11-26 | 2022-07-19 | 中国银联股份有限公司 | Data encryption and decryption method, device, system and storage medium |
CN111080299B (en) * | 2019-12-27 | 2020-12-15 | 广州骏伯网络科技有限公司 | Anti-repudiation method for transaction information, client and server |
CN111432373B (en) | 2020-02-24 | 2022-08-30 | 吉利汽车研究院(宁波)有限公司 | Security authentication method and device and electronic equipment |
CN117201014A (en) * | 2020-02-29 | 2023-12-08 | 华为技术有限公司 | Key updating method and related device |
CN111368322B (en) * | 2020-03-11 | 2022-04-12 | 中电科(天津)网络信息安全有限公司 | File decryption method and device, electronic equipment and storage medium |
CN111431890B (en) * | 2020-03-20 | 2021-12-03 | 苏州瑞立思科技有限公司 | Low-overhead intermediate server proxy transmission authentication method and device |
CN111611577B (en) * | 2020-05-22 | 2023-10-03 | 北京金山云网络技术有限公司 | Authentication method, authentication device, authentication system, electronic equipment and computer readable storage medium |
CN111951463B (en) * | 2020-06-05 | 2022-08-19 | 陶源 | Vending machine activation system and vending machine offline vending method |
CN111683099B (en) * | 2020-06-11 | 2023-06-09 | 杭州海兴电力科技股份有限公司 | Data communication method, device and equipment |
CN111865956A (en) * | 2020-07-13 | 2020-10-30 | 杭州萤石软件有限公司 | System, method, device and storage medium for preventing service hijacking |
CN114095152A (en) * | 2020-08-03 | 2022-02-25 | 天翼电子商务有限公司 | Method, system, medium and apparatus for updating key and encrypting and decrypting data |
CN111988299A (en) * | 2020-08-14 | 2020-11-24 | 杭州视洞科技有限公司 | Method for establishing trusted link between client and server |
CN112073192B (en) * | 2020-09-07 | 2023-01-10 | 北京天融信网络安全技术有限公司 | Data processing method and device and cipher machine |
CN112398832B (en) * | 2020-11-04 | 2022-02-01 | 四川长虹电器股份有限公司 | Service end user data encryption method and decryption method |
CN112564901B (en) * | 2020-12-08 | 2023-08-25 | 三维通信股份有限公司 | Method and system for generating secret key, storage medium and electronic device |
CN114697008B (en) * | 2020-12-30 | 2024-03-12 | 科大国盾量子技术股份有限公司 | Communication system and method based on quantum security SIM card, quantum security SIM card and key service platform |
CN112769560B (en) * | 2020-12-31 | 2023-03-24 | 中国农业银行股份有限公司 | Key management method and related device |
CN113489706B (en) * | 2021-06-30 | 2023-10-10 | 北京达佳互联信息技术有限公司 | Data processing method, device, system, equipment and storage medium |
CN113691502B (en) * | 2021-08-02 | 2023-06-30 | 上海浦东发展银行股份有限公司 | Communication method, device, gateway server, client and storage medium |
CN114401102A (en) * | 2021-11-29 | 2022-04-26 | 南威软件股份有限公司 | HTTP request parameter encryption scheme based on cryptographic algorithm |
CN114499836A (en) * | 2021-12-29 | 2022-05-13 | 北京像素软件科技股份有限公司 | Key management method, key management device, computer equipment and readable storage medium |
CN114374512B (en) * | 2022-01-10 | 2023-01-10 | 梵迩佳智能电气有限公司 | Unmanned aerial vehicle communication method based on quantum strategy |
CN115801308B (en) * | 2022-09-16 | 2023-08-29 | 北京瑞莱智慧科技有限公司 | Data processing method, related device and storage medium |
CN116094763A (en) * | 2022-12-07 | 2023-05-09 | 天翼云科技有限公司 | Internet surfing behavior management and control method and system based on cloud mobile phone |
CN116112152B (en) * | 2023-04-11 | 2023-06-02 | 广东徐工汉云工业互联网有限公司 | Data sharing security encryption method and device across enterprise network |
CN116436710B (en) * | 2023-06-15 | 2023-08-29 | 烟台岸基网络科技有限公司 | Remote operation system for operation of port bridge type loading and unloading equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103532714A (en) * | 2012-07-06 | 2014-01-22 | 中国银联股份有限公司 | Method and system for transmitting data from data provider to intelligent card |
CN103595718A (en) * | 2013-11-15 | 2014-02-19 | 拉卡拉支付有限公司 | POS terminal and method, system and service platform for activating same |
CN104519013A (en) * | 2013-09-27 | 2015-04-15 | 华为技术有限公司 | Method and system for ensuring security of media stream, and device |
CN105307160A (en) * | 2015-09-29 | 2016-02-03 | 北京元心科技有限公司 | Data transmission method and device by use of Wi-Fi network |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106712932B (en) * | 2016-07-20 | 2019-03-19 | 腾讯科技(深圳)有限公司 | Key management method, apparatus and system |
-
2016
- 2016-07-20 CN CN201610579122.XA patent/CN106712932B/en active Active
-
2017
- 2017-07-04 WO PCT/CN2017/091646 patent/WO2018014723A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103532714A (en) * | 2012-07-06 | 2014-01-22 | 中国银联股份有限公司 | Method and system for transmitting data from data provider to intelligent card |
CN104519013A (en) * | 2013-09-27 | 2015-04-15 | 华为技术有限公司 | Method and system for ensuring security of media stream, and device |
CN103595718A (en) * | 2013-11-15 | 2014-02-19 | 拉卡拉支付有限公司 | POS terminal and method, system and service platform for activating same |
CN105307160A (en) * | 2015-09-29 | 2016-02-03 | 北京元心科技有限公司 | Data transmission method and device by use of Wi-Fi network |
Also Published As
Publication number | Publication date |
---|---|
CN106712932A (en) | 2017-05-24 |
WO2018014723A1 (en) | 2018-01-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106712932B (en) | Key management method, apparatus and system | |
CN108965302B (en) | Media data transmission system, method, device and storage medium | |
CN111193695B (en) | Encryption method and device for third party account login and storage medium | |
US10819687B2 (en) | Apparatus and method of encrypted communication | |
CN104580167B (en) | A kind of methods, devices and systems transmitting data | |
KR101894232B1 (en) | Method and apparatus for cloud-assisted cryptography | |
US11177955B2 (en) | Device-to-device messaging protocol | |
US20160197894A1 (en) | Method of generating a deniable encrypted communications via password entry | |
CN110417543B (en) | Data encryption method, device and storage medium | |
CN104821937A (en) | Token acquisition method, device and system | |
US9961056B2 (en) | Method of deniable encrypted communications | |
US11736304B2 (en) | Secure authentication of remote equipment | |
US20220182825A1 (en) | Identity Authentication Method and Apparatus | |
KR102527524B1 (en) | Techniques for Multi-Agent Messaging | |
CN109088799A (en) | A kind of user end inserting method, device, terminal and storage medium | |
CN109086595A (en) | A kind of business account switching method, system, device and server | |
WO2023226778A1 (en) | Identity authentication method and apparatus, and electronic device and computer-readable storage medium | |
CN114553612B (en) | Data encryption and decryption method and device, storage medium and electronic equipment | |
JP7366115B2 (en) | Delivering notifications to mobile devices | |
CN108737341A (en) | Method for processing business, terminal and server | |
CN113434904A (en) | Data processing method and device, computer equipment and storage medium | |
CN108880787A (en) | A kind of processing method and relevant device of information key | |
CN113726768A (en) | Data transmission method and device, electronic equipment and readable storage medium | |
CN109933960A (en) | Service call control method, service calling method, device and terminal | |
CN111970281B (en) | Routing equipment remote control method and system based on verification server and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |