CN107317677A - Key storage and equipment identities authentication method, device - Google Patents

Key storage and equipment identities authentication method, device Download PDF

Info

Publication number
CN107317677A
CN107317677A CN201710378389.7A CN201710378389A CN107317677A CN 107317677 A CN107317677 A CN 107317677A CN 201710378389 A CN201710378389 A CN 201710378389A CN 107317677 A CN107317677 A CN 107317677A
Authority
CN
China
Prior art keywords
key
safety chip
ciphertext
encryption
storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710378389.7A
Other languages
Chinese (zh)
Other versions
CN107317677B (en
Inventor
胡传文
顾振华
顾志松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Keda Technology Co Ltd
Original Assignee
Suzhou Keda Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Keda Technology Co Ltd filed Critical Suzhou Keda Technology Co Ltd
Priority to CN201710378389.7A priority Critical patent/CN107317677B/en
Publication of CN107317677A publication Critical patent/CN107317677A/en
Application granted granted Critical
Publication of CN107317677B publication Critical patent/CN107317677B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Abstract

The invention discloses a kind of key storage and equipment identities authentication method, device, wherein the method for storing cipher key includes:The first encryption key is imported inside to safety chip;Export the public key of the first encryption key;The first session key ciphertext and the first session key handle are generated outside safety chip using the public key of the first encryption key;The generation storage key outside safety chip;Using the first session key handle to storage key encryption, obtain storing ciphertext;First session key ciphertext and storage ciphertext are stored to the read-write memory block to safety chip;First session key ciphertext, which imports safety chip, can obtain the first session key handle.Pass through the present invention, outside can obtain storage key from safety chip, and then processing information can be treated using the storage key outside safety chip signed or decrypted, handled without information to be signed is imported into safety chip by safety chip, thereby reduce the amount of calculation of safety chip.

Description

Key storage and equipment identities authentication method, device
Technical field
The present invention relates to field of information security technology, and in particular to a kind of key storage and equipment identities authentication method, dress Put.
Background technology
In order to improve the security of information transfer between equipment, generally using being transmitted after cipher key pair information encryption.For believing The key of encryption for information includes signature key to, encryption key pair and session key pair, and wherein encryption key is to for protecting session Key, signature key is to for digital signature and checking, session key is to for data encrypting and deciphering and MAC operation.In order to protect The security of key, the security for further improving information transfer, generally by key to being stored in can not reading and writing for safety chip Region, key cannot generally be exported.
Fig. 1 show the application building-block of logic of safety chip, and by the standard formulated of national Password Management office, (state is close for it Standard) provide.Wherein, using to include a kind of structure of container, device authentication key and file, possesses independent authority pipe Reason;Container refers in particular to cryptographic key containers, is an object logic for being used to deposit unsymmetrical key pair and session key.Signature key pair Produced inside safety chip, encryption key is to being produced by outside and being imported safely, and session key can be produced inside safety chip Life is produced by outside and imported safely.
Digital signature can prevent that sender's transmitted information from being usurped as a kind of conventional Security Data Transmission mode Change.Specifically, sender (is signed) using signature private key to information encryption, and recipient is using public signature key to encryption information solution It is close.Signature key pair can be generated in safety chip, but is merely able to export public signature key, and signature private key can not be exported.Therefore, When there is information to need signature, information to be signed can only be imported safety chip, by being exported inside safety chip after signature processing Signing messages.
(such as server needs to be communicated with multiple client), safety chip however, when information to be signed is more Disposal ability become the bottleneck communicated for server.When existing mode solves this bottleneck problem, often through raising The means such as safety chip performance, the quantity for increasing safety chip.This often increases system cost.
The content of the invention
In view of this, the embodiments of the invention provide a kind of method for storing cipher key and device, and a kind of equipment identities certification Method and device, to reduce the amount of calculation of safety chip.
First aspect present invention provides a kind of method for storing cipher key, and methods described includes:Imported inside to safety chip First encryption key;Export the public key of first encryption key;Using the public key of first encryption key in the safety Chip exterior generates the first session key ciphertext and the first session key handle;Generation storage is close outside the safety chip Key;Using the first session key handle to the storage key encryption, obtain storing ciphertext;By first session key Ciphertext and the storage ciphertext store the read-write memory block to safety chip;The first session key ciphertext imports institute The first session key handle can be obtained by stating safety chip.
Alternatively, it is described to include the step of the first encryption key is imported into safety chip:Control raw inside safety chip Into and export the first signature key;Second session key is generated inside the safety chip using first signature key, And export the second session key ciphertext and the second session key handle;The second encryption key is generated outside the safety chip; Second encryption key is encrypted using the second session key handle, the second encryption key ciphertext is obtained;According to The second session key ciphertext and the second encryption key ciphertext generate the first encryption key;By first encryption key Import inside the safety chip.
Second aspect of the present invention provides a kind of equipment identities authentication method, for server, and the server uses the On the one hand the method for storing cipher key storage signature private key or described in first aspect any one optional embodiment;Methods described Including:Receive the client certificate and the first encryption data transmitted by the client;First encryption data is using clothes The public signature key encryption of business device;When the client certificate verification is legal, obtained from the read-write memory block of the safety chip Take signature private key;First encryption data is decrypted using the signature private key;When successful decryption, the visitor is received Signature value transmitted by the end of family;Using the public key in the client certificate to the signature value sign test;When sign test by when, really The fixed client identity certification passes through.
Alternatively, the step of read-write memory block from the safety chip obtains signature private key, including:From described The read-write memory block of safety chip obtains the first session key ciphertext and the storage ciphertext;First session is close Key ciphertext imports the safety chip, obtains the first session key handle;Using the first session key handle to institute Storage ciphertext decryption is stated, the storage key is obtained as the signature private key of the server.
Alternatively, the client certificate received transmitted by the client and the step of the first encryption data it Before, in addition to:Public signature key and server info are Generated Certificate demand file;Recognized by the certificate request file to certificate Demonstrate,prove mechanism requests and obtain digital certificate;Receive the digital certificate transmitted by the certificate authority;Store the digital certificate.
Third aspect present invention provides a kind of key storage device, and described device includes:Import unit, for safety Chip internal imports the first encryption key;Lead-out unit, the public key for exporting first encryption key;First generation is single Member, the first session key ciphertext and first are generated for the public key using first encryption key outside the safety chip Session key handle;Second generation unit, for the generation storage key outside the safety chip;Ciphering unit, for adopting The storage key is encrypted with the first session key handle, obtains storing ciphertext;First memory cell, for by described in First session key ciphertext and the storage ciphertext store the read-write memory block to safety chip;First session is close Key ciphertext, which imports the safety chip, can obtain the first session key handle.
Alternatively, the import unit includes:First control subelement, generates and exports inside safety chip for controlling First signature key;First generation subelement, for generating the inside the safety chip using first signature key Two session keys, and export the second session key ciphertext and the second session key handle;Second generation subelement, for described The second encryption key of generation outside safety chip;Encryption sub-unit operable, for using the second session key handle to described the Two encryption keys are encrypted, and obtain the second encryption key ciphertext;3rd generation subelement, for close according to second session Key ciphertext and the second encryption key ciphertext generate the first encryption key;First imports subelement, for described first to be added Key is imported inside the safety chip.
Fourth aspect present invention provides a kind of equipment identities authentication device, for server, and the server uses the Key storage device storage signature private key described in three aspects or the third aspect any one optional embodiment;Described device Including:First receiving unit, for receiving client certificate and the first encryption data transmitted by the client;Described One encryption data is encrypted using the public signature key of server;Acquiring unit, for when the client certificate verification is legal, from The read-write memory block of the safety chip obtains signature private key;Decryption unit, for using the signature private key to described the One encryption data is decrypted;Second receiving unit, for when successful decryption, receiving the signature transmitted by the client Value;Sign test unit, for using the public key in the client certificate to the signature value sign test;Determining unit, is tested for working as When label pass through, determine that the client identity certification passes through.
Alternatively, the acquiring unit includes:Subelement is obtained, for being obtained from the read-write memory block of the safety chip Take the first session key ciphertext and the storage ciphertext;Second imports subelement, for first session key is close Text imports the safety chip, obtains the first session key handle;Subelement is decrypted, for close using first session Key handle obtains the storage key as the signature private key of the server to the storage ciphertext decryption.
Alternatively, described device also includes:3rd generation unit, for public signature key and server info to be Generated Certificate Demand file;Request unit, for by the certificate request file to certificate authority acquisition request digital certificate;3rd Receiving unit, for receiving the digital certificate transmitted by the certificate authority;Second memory cell, for storing the number Word certificate.
Method for storing cipher key and device that the embodiment of the present invention is provided, generation storage key, profit outside safety chip Storage key encryption is obtained storing ciphertext with the first session key handle, ciphertext and the first session key ciphertext will be stored together Storage is to the read-write memory block of safety chip, so that when there is information to need with storing key and being signed or decrypted, can be with Storage ciphertext and the first session key ciphertext are obtained from the read-write memory block of safety chip, the first session key ciphertext is imported Safety chip can obtain the first session key handle, and storage ciphertext decryption can be obtained using the first session key handle and deposited Key is stored up, and then processing information can be treated using the storage key outside safety chip and is signed or is decrypted, without Information to be signed is imported into safety chip and handled by safety chip, the amount of calculation of safety chip is thereby reduced.
Equipment identities authentication method and device that the embodiment of the present invention is provided, server receive the visitor transmitted by client After family end certificate and the first encryption data, when client certificate verification is legal, from the read-write memory block of safety chip Signature private key is obtained, the first encryption data is decrypted using the signature private key, because the signature private key is to use first party Method for storing cipher key storage described in face or first aspect any one optional embodiment, therefore the authentication Algorithm can reduce the amount of calculation of safety chip.
Brief description of the drawings
The features and advantages of the present invention can be more clearly understood from by reference to accompanying drawing, accompanying drawing is schematical without that should manage Solve to carry out any limitation to the present invention, in the accompanying drawings:
Fig. 1 shows the application building-block of logic of safety chip;
Fig. 2 shows a kind of flow chart of method for storing cipher key according to embodiments of the present invention;
Fig. 3 shows the flow chart of another method for storing cipher key according to embodiments of the present invention;
Fig. 4 shows the schematic diagram of method for storing cipher key;
Fig. 5 shows a kind of flow chart of equipment identities authentication method according to embodiments of the present invention;
Fig. 6 shows the flow chart of another equipment identities authentication method according to embodiments of the present invention;
Fig. 7 shows a kind of theory diagram of key storage device according to embodiments of the present invention;
Fig. 8 shows the theory diagram of another key storage device according to embodiments of the present invention;
Fig. 9 shows a kind of theory diagram of equipment identities authentication device according to embodiments of the present invention;
Figure 10 shows the theory diagram of another equipment identities authentication device according to embodiments of the present invention.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those skilled in the art are not having There is the every other embodiment made and obtained under the premise of creative work, belong to the scope of protection of the invention.
Embodiment one
Fig. 2 shows a kind of flow chart of method for storing cipher key according to embodiments of the present invention, and this method is used for server. According to Fig. 2, this method comprises the following steps:
S101:The first encryption key is imported inside to safety chip.Need to use encryption key in this method, and according to peace Full chip state Data Encryption Standard, encryption key must be produced by outside and imported safely.Unless the public key or private key of encryption key are refered in particular to, it is no Then the encryption key in the application refers to encryption key pair, i.e., including public key and private key.
S102:Export the public key of the first encryption key.According to safety chip state Data Encryption Standard, the only public key of encryption key It can export, private key cannot be exported.
S103:The first session key ciphertext and the first meeting are generated outside safety chip using the public key of the first encryption key Talk about key handles.
S104:The generation storage key outside safety chip.The storage key is this method key to be stored.Need It should be noted that what the storage password was externally generated, not secure inner is generated.
S105:Using the first session key handle to storage key encryption, obtain storing ciphertext.
S106:First session key ciphertext and storage ciphertext are stored to the read-write memory block to safety chip.Its In, the first session key ciphertext, which imports safety chip, can obtain the first session key handle.
It should be added that, above-mentioned steps S104 can before any one step before step S105 or it Afterwards, the application is not limited step S104 position herein.
Above-mentioned method for storing cipher key, the generation storage key outside safety chip, using the first session key handle to depositing Storage key encryption obtains storing ciphertext, will store ciphertext and the first session key ciphertext and deposits read-write to safety chip together Memory block, so that when there is information to need with storing key and being signed or decrypted, can be from the read-write storage of safety chip Area obtains storage ciphertext and the first session key ciphertext, and the first session key ciphertext importing safety chip can be obtained into the first meeting Key handles are talked about, storage key can be obtained to storage ciphertext decryption using the first session key handle, and then can be in safety Chip exterior treats processing information using the storage key and is signed or decrypted, without information to be signed is imported into safety Handled in chip by safety chip, thereby reduce the amount of calculation of safety chip.
Embodiment two
Fig. 3 shows the flow chart of another method for storing cipher key according to embodiments of the present invention, and this method is used to service Device.Fig. 4 shows the schematic diagram of the method for storing cipher key.
According to Fig. 3, this method comprises the following steps:
S201:Generated inside control safety chip and export the first signature key.
As shown in figure 4, control generates the first signature key P1 (pu1, pr1) inside safety chip, pu1, pr1 are respectively First signature key P1 (pu1, pr1) public key and private key.
S202:Second session key is generated inside safety chip using the first signature key, and it is close to export the second session Key ciphertext and the second session key handle.
It is above-mentioned generate the first signature key P1 (pu1, pr1) inside safety chip after, can directly control safe core Piece inner utilization the first signature key P1 (pu1, pr1) generates the second session key sek2 (c2, kh2);Or first export first Signature key P1 (pu1, pr1) public key pu1, then public key pu1 is imported into safety chip, control safety chip inner utilization Public key pu1 generates the second session key sek2 (c2, kh2).Wherein c2 is the ciphertext of the second session key, and kh2 is the second session The handle of key.
S203:The second encryption key is generated outside safety chip.
As shown in figure 4, generating the second encryption key KEY2 outside safety chip.
S204:The second encryption key is encrypted using the second session key handle, the second encryption key ciphertext is obtained.
As shown in figure 4, the second encryption key KEY2 is encrypted using the second session key handle kh2, second is obtained Encryption key ciphertext c2.
S205:First encryption key is generated according to the second session key ciphertext and the second encryption key ciphertext.
As shown in figure 4, generating the first encryption key C1 according to the second session key ciphertext c2 and the second encrypted cipher text c2 (pu1, pr1), wherein pu1, pr1 are respectively first encryption key C1 (pu1, pr1) public key and private key.
S206:First encryption key is imported inside safety chip.
As shown in figure 4, the first encryption key C1 (pu1, pr1) is imported into inside safety chip.
Above-mentioned steps S201 to S206 has implemented the step S101 in embodiment one.
S207:Export the public key of the first encryption key.
As shown in figure 4, the first encryption key C1 (pu1, pr1) of export public key pu1.
S208:The first session key ciphertext and the first meeting are generated outside safety chip using the public key of the first encryption key Talk about key handles.
As shown in figure 4, being generated using the public key pu1 of above-mentioned first encryption key C1 (pu1, pr1) outside safety chip First session key sek1 (c1, kh1), wherein c1 are the ciphertext of the first session key, and kh1 is the handle of the first session key.
S209:The generation storage key outside safety chip.
As shown in figure 4, generation stores key KEY1 outside safety chip.
S210:Using the first session key handle to storage key encryption, obtain storing ciphertext.
As shown in figure 4, obtaining storage ciphertext c3 to storage key KEY1 encryptions using the first session key handle kh1.
S211:First session key ciphertext and storage ciphertext are stored to the read-write memory block to safety chip.The One session key ciphertext, which imports safety chip, can obtain the first session key handle.
As shown in figure 4, the first session key ciphertext c1 and storage ciphertext c3 are stored into read-write to safety chip Data in memory block, read-write memory block can be by outside acquisition.
Above-mentioned steps S207 to S211 refers to step S102 in embodiment one to S106, will not be repeated here.
Embodiment three
Fig. 5 shows a kind of flow chart of equipment identities authentication method according to embodiments of the present invention, and this method is used to take Business device, and server is using the method for storing cipher key storage signature private key described in embodiment one or embodiment two.According to Fig. 5 institutes Show, this method comprises the following steps:
S301:Receive the client certificate and the first encryption data transmitted by client.First encryption data is using clothes The public signature key encryption of business device.
S302:When client certificate verification is legal, signature private key is obtained from the read-write memory block of safety chip.
S303:The first encryption data is decrypted using signature private key.
Because first encryption data is encrypted using the public signature key of server, therefore according to server Signature private key successful decryption, then can illustrate the client to hold server certificate that (general public signature key is contained in certificate of service In).
S304:When successful decryption, the signature value transmitted by client is received.
S305:Using the public key in client certificate to signature value sign test.
Because the signature value transmitted by client is to use the private key in client certificate to be encrypted, if therefore passing through Public key in client certificate passes through to signature value sign test, then can illustrate the signature value really by the client is sent out and without More correct one's mistakes, its signature contents is credible.
S306:When sign test by when, determine that client identity certification passes through.
The said equipment identity identifying method, server receives the client certificate and the first encryption number transmitted by client After, when client certificate verification is legal, signature private key is obtained from the read-write memory block of safety chip, using the signature First encryption data is decrypted private key, because the signature private key is deposited using the key described in embodiment one or embodiment two Method for storing storage, therefore the authentication algorithm can reduce the amount of calculation of safety chip, specifically see embodiment one.
Example IV
Fig. 6 shows the flow chart of another equipment identities authentication method according to embodiments of the present invention, and this method is used for Server, and server is using the method for storing cipher key storage signature private key described in embodiment one or embodiment two.According to Fig. 6 Shown, this method comprises the following steps:
S401:Public signature key and server info are Generated Certificate demand file.
S402:By certificate request file to certificate authority acquisition request digital certificate.
S403:Receive the digital certificate transmitted by certificate authority.
S404:Digital certificate.The digital certificate can be stored in safety chip, be stored in safety chip It is outside.
Above-mentioned steps S401 to S404 is used for server and obtains digital certificate to certificate authority.
S405:During certification request transmitted by customer in response end, server certificate is sent to client.The server certificate I.e. above-mentioned digital certificate, for the identity of client validation server, realizes the two-way authentication of client and server.
S406:Receive the client certificate and the first encryption data transmitted by client.First encryption data is using clothes The public signature key encryption of business device.
S407:Verify whether client certificate is legal.When client certificate verification is legal, step S408 is performed.
S408:The first session key ciphertext and storage ciphertext are obtained from the read-write memory block of safety chip.
S409:First session key ciphertext is imported into safety chip, the first session key handle is obtained.
S410:Using the first session key handle to storage ciphertext decryption, obtain storing key as the signature of server Private key.
Above-mentioned steps S408 to S410 has implemented " being obtained from the read-write memory block of safety chip in embodiment three Signature private key ".When there is information to need to be signed or decrypted with the signature private key of server, by above-mentioned steps S408 extremely S410 can make outside get signature private key, so that treating the signature of processing information or decryption oprerations can be by safe core Processor outside piece is performed, and reduces the amount of calculation of safety chip.
S411:The first encryption data is decrypted using signature private key.
S412:When successful decryption, the signature value transmitted by client is received.
S413:Using the public key in client certificate to signature value sign test.
S414:When sign test by when, determine that client identity certification passes through.
Above-mentioned steps S411 to S414 refers to step S303 in embodiment three to S306, will not be repeated here.
Embodiment five
Fig. 7 shows a kind of theory diagram of key storage device according to embodiments of the present invention, and the device is used to service Device, the method for storing cipher key described in execution embodiment one or embodiment two.According to Fig. 7, this method include import unit 10, Lead-out unit 20, the first generation unit 30, the second generation unit 40, the memory cell 60 of ciphering unit 50 and first.
Import unit 10 is used to import the first encryption key to the inside of safety chip.
Lead-out unit 20 is used for the public key for exporting the first encryption key.
It is close that first generation unit 30 generates the first session for the public key using the first encryption key outside safety chip Key ciphertext and the first session key handle.
Second generation unit 40 is used for the generation storage key outside safety chip.
Ciphering unit 50 is used for using the first session key handle to storage key encryption, obtains storing ciphertext.
First memory cell 60 be used for by the first session key ciphertext and storage ciphertext store to safety chip can Read and write memory block.First session key ciphertext, which imports safety chip, can obtain the first session key handle.
Above-mentioned key storage device, the generation storage key outside safety chip, using the first session key handle to depositing Storage key encryption obtains storing ciphertext, will store ciphertext and the first session key ciphertext and deposits read-write to safety chip together Memory block, so that when there is information to need with storing key and being signed or decrypted, can be from the read-write storage of safety chip Area obtains storage ciphertext and the first session key ciphertext, and the first session key ciphertext importing safety chip can be obtained into the first meeting Key handles are talked about, storage key can be obtained to storage ciphertext decryption using the first session key handle, and then can be in safety Chip exterior treats processing information using the storage key and is signed or decrypted, without information to be signed is imported into safety Handled in chip by safety chip, thereby reduce the amount of calculation of safety chip.
As a kind of optional embodiment of the present embodiment, as shown in figure 8, import unit 10 includes the first control subelement 11st, the first generation generation of subelement 12, second subelement 13, the generation subelement 15 and first of encryption sub-unit operable the 14, the 3rd are imported Subelement 16.
First control subelement 11, for controlling to generate inside safety chip and exporting the first signature key.
First generation subelement 12, for generating the second session key inside safety chip using the first signature key, And export the second session key ciphertext and the second session key handle.
Second generation subelement 13, for generating the second encryption key outside safety chip.
Encryption sub-unit operable 14, for the second encryption key to be encrypted using the second session key handle, obtains second Encryption key ciphertext.
3rd generation subelement 15, for being added according to the second session key ciphertext and the second encryption key ciphertext generation first Key.
First imports subelement 16, for the first encryption key to be imported inside safety chip.
Embodiment six
Fig. 9 shows a kind of theory diagram of equipment identities authentication device according to embodiments of the present invention, and the device is used for Server, performs embodiment three or the equipment identities authentication method described in example IV, and server using embodiment five or Key storage device storage signature private key described in its any one optional embodiment of person.According to Fig. 9, the device includes First receiving unit 70, acquiring unit 80, decryption unit 90, the second receiving unit 100, sign test unit 110 and determining unit 120。
First receiving unit 70 is used to receive the client certificate and the first encryption data transmitted by client.First adds Ciphertext data is encrypted using the public signature key of server.
Acquiring unit 80 is used for when client certificate verification is legal, and signature is obtained from the read-write memory block of safety chip Private key.
Decryption unit 90 is used to the first encryption data is decrypted using signature private key.
Second receiving unit 100 is used for when successful decryption, receives the signature value transmitted by client.
Sign test unit 110 is used for using the public key in client certificate to signature value sign test.
Determining unit 120 be used for when sign test by when, determine that client identity certification passes through.
The said equipment identification authentication system, server receives the client certificate and the first encryption number transmitted by client After, when client certificate verification is legal, signature private key is obtained from the read-write memory block of safety chip, using the signature First encryption data is decrypted private key, because the signature private key is deposited using the key described in embodiment one or embodiment two Method for storing storage, therefore the authentication algorithm can reduce the amount of calculation of safety chip, specifically see embodiment one.
As a kind of optional embodiment of the present embodiment, as shown in Figure 10, acquiring unit 80 include obtaining subelement 81, Second imports subelement 82 and decryption subelement 83.
The read-write memory block that obtaining subelement 81 is used for from safety chip obtains the first session key ciphertext and stored close Text.
Second, which imports subelement 82, is used to the first session key ciphertext importing safety chip, obtains the first session key sentence Handle.
Decrypting subelement 83 is used for using the first session key handle to storage ciphertext decryption, obtains storage key as clothes The signature private key of business device.
As a kind of optional embodiment of the present embodiment, as shown in Figure 10, the device also includes the 3rd generation unit 130th, request unit 140, the 3rd receiving unit 150 and the second memory cell 160.
3rd generation unit 130 is used to Generate Certificate public signature key and server info demand file.
Request unit 140 is used to pass through certificate request file to certificate authority acquisition request digital certificate.
3rd receiving unit 150 is used to receive the digital certificate transmitted by certificate authority.
Second memory cell 160 is used for digital certificate.
It is to lead to it will be understood by those skilled in the art that realizing all or part of flow in above-described embodiment method Cross computer program to instruct the hardware of correlation to complete, described program can be stored in a computer read/write memory medium In, the program is upon execution, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, described storage medium can be magnetic Dish, CD, read-only memory (ROM) or random access memory (RAM) etc..
Although being described in conjunction with the accompanying embodiments of the invention, those skilled in the art can not depart from the present invention Spirit and scope in the case of various modification can be adapted and modification, such modifications and variations are each fallen within by appended claims institute Within the scope of restriction.

Claims (10)

1. a kind of method for storing cipher key, it is characterised in that methods described includes:
The first encryption key is imported inside to safety chip;
Export the public key of first encryption key;
The first session key ciphertext and the first meeting are generated outside the safety chip using the public key of first encryption key Talk about key handles;
The generation storage key outside the safety chip;
Using the first session key handle to the storage key encryption, obtain storing ciphertext;
The first session key ciphertext and the storage ciphertext are stored to the read-write memory block to safety chip;It is described First session key ciphertext, which imports the safety chip, can obtain the first session key handle.
2. method for storing cipher key according to claim 1, it is characterised in that described that the first encryption is imported into safety chip The step of key, includes:
Generated inside control safety chip and export the first signature key;
Second session key is generated inside the safety chip using first signature key, and exports the second session key Ciphertext and the second session key handle;
The second encryption key is generated outside the safety chip;
Second encryption key is encrypted using the second session key handle, the second encryption key ciphertext is obtained;
First encryption key is generated according to the second session key ciphertext and the second encryption key ciphertext;
First encryption key is imported inside the safety chip.
3. a kind of equipment identities authentication method, it is characterised in that for server, the server uses the institute of claim 1 or 2 The method for storing cipher key storage signature private key stated;Methods described includes:
Receive the client certificate and the first encryption data transmitted by the client;First encryption data is using service The public signature key encryption of device;
When the client certificate verification is legal, signature private key is obtained from the read-write memory block of the safety chip;
First encryption data is decrypted using the signature private key;
When successful decryption, the signature value transmitted by the client is received;
Using the public key in the client certificate to the signature value sign test;
When sign test by when, determine that the client identity certification passes through.
4. equipment identities authentication method according to claim 3, it is characterised in that described from the readable of the safety chip The step of memory block obtains signature private key is write, including:
The first session key ciphertext and the storage ciphertext are obtained from the read-write memory block of the safety chip;
The first session key ciphertext is imported into the safety chip, the first session key handle is obtained;
Using the first session key handle to the storage ciphertext decryption, the storage key is obtained as the server Signature private key.
5. equipment identities authentication method according to claim 3, it is characterised in that transmitted by the reception client Client certificate and the step of the first encryption data before, in addition to:
Public signature key and server info are Generated Certificate demand file;
By the certificate request file to certificate authority acquisition request digital certificate;
Receive the digital certificate transmitted by the certificate authority;
Store the digital certificate.
6. a kind of key storage device, it is characterised in that described device includes:
Import unit, for importing the first encryption key to inside safety chip;
Lead-out unit, the public key for exporting first encryption key;
First generation unit, the first session is generated for the public key using first encryption key outside the safety chip Key ciphertext and the first session key handle;
Second generation unit, for the generation storage key outside the safety chip;
Ciphering unit, for, to the storage key encryption, obtaining storing ciphertext using the first session key handle;
First memory cell, for the first session key ciphertext and the storage ciphertext to be stored to safety chip Read-write memory block;The first session key ciphertext, which imports the safety chip, can obtain the first session key sentence Handle.
7. key storage device according to claim 6, it is characterised in that the import unit includes:
First control subelement, for controlling to generate inside safety chip and exporting the first signature key;
First generation subelement, it is close for generating the second session inside the safety chip using first signature key Key, and export the second session key ciphertext and the second session key handle;
Second generation subelement, for generating the second encryption key outside the safety chip;
Encryption sub-unit operable, for second encryption key being encrypted using the second session key handle, obtains the Two encryption key ciphertexts;
3rd generation subelement, for according to the second session key ciphertext and the second encryption key ciphertext generation first Encryption key;
First imports subelement, for first encryption key to be imported inside the safety chip.
8. a kind of equipment identities authentication device, it is characterised in that for server, the server uses the institute of claim 6 or 7 The key storage device storage signature private key stated;Described device includes:
First receiving unit, for receiving client certificate and the first encryption data transmitted by the client;Described One encryption data is encrypted using the public signature key of server;
Acquiring unit, for when the client certificate verification is legal, being obtained from the read-write memory block of the safety chip Signature private key;
Decryption unit, for first encryption data to be decrypted using the signature private key;
Second receiving unit, for when successful decryption, receiving the signature value transmitted by the client;
Sign test unit, for using the public key in the client certificate to the signature value sign test;
Determining unit, for when sign test by when, determine that the client identity certification passes through.
9. equipment identities authentication device according to claim 8, it is characterised in that the acquiring unit includes:
Subelement is obtained, for obtaining the first session key ciphertext and described from the read-write memory block of the safety chip Store ciphertext;
Second imports subelement, for the first session key ciphertext to be imported into the safety chip, obtains first meeting Talk about key handles;
Subelement is decrypted, for, to the storage ciphertext decryption, obtaining the storage close using the first session key handle Key as the server signature private key.
10. equipment identities authentication device according to claim 8, it is characterised in that described device also includes:
3rd generation unit, for public signature key and server info to be Generated Certificate demand file;
Request unit, for by the certificate request file to certificate authority acquisition request digital certificate;
3rd receiving unit, for receiving the digital certificate transmitted by the certificate authority;
Second memory cell, for storing the digital certificate.
CN201710378389.7A 2017-05-25 2017-05-25 Secret key storage and equipment identity authentication method and device Active CN107317677B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710378389.7A CN107317677B (en) 2017-05-25 2017-05-25 Secret key storage and equipment identity authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710378389.7A CN107317677B (en) 2017-05-25 2017-05-25 Secret key storage and equipment identity authentication method and device

Publications (2)

Publication Number Publication Date
CN107317677A true CN107317677A (en) 2017-11-03
CN107317677B CN107317677B (en) 2020-02-07

Family

ID=60181971

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710378389.7A Active CN107317677B (en) 2017-05-25 2017-05-25 Secret key storage and equipment identity authentication method and device

Country Status (1)

Country Link
CN (1) CN107317677B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888381A (en) * 2017-11-09 2018-04-06 飞天诚信科技股份有限公司 A kind of implementation method of key importing, apparatus and system
CN109343515A (en) * 2018-11-30 2019-02-15 深圳市元征科技股份有限公司 Car fault diagnosis method, system, equipment and computer readable storage medium
CN110166236A (en) * 2019-05-31 2019-08-23 北京中金国信科技有限公司 Cipher key processing method, device and system and electronic equipment
CN110602140A (en) * 2019-09-29 2019-12-20 苏州思必驰信息科技有限公司 Encryption and decryption method and system for chip authorization
CN110635901A (en) * 2019-09-11 2019-12-31 北京方研矩行科技有限公司 Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN111031047A (en) * 2019-12-16 2020-04-17 中国南方电网有限责任公司 Device communication method, device, computer device and storage medium
CN111241605A (en) * 2019-12-31 2020-06-05 航天信息股份有限公司 Safety storage device and method based on tax digital certificate
CN111414638A (en) * 2020-04-23 2020-07-14 飞天诚信科技股份有限公司 Method and device for realizing distinguishing key generation mode
CN113010908A (en) * 2019-12-20 2021-06-22 北京紫光青藤微系统有限公司 Safe storage method suitable for high-capacity SIM card
CN114244505A (en) * 2021-12-09 2022-03-25 武汉天喻信息产业股份有限公司 Safety communication method based on safety chip

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101989991A (en) * 2010-11-24 2011-03-23 北京天地融科技有限公司 Method for importing secret keys safely, electronic signature tool, authentication device and system
US20110243332A1 (en) * 2010-03-30 2011-10-06 Shunsuke Akimoto Data processing system, data processing method, source data processing device, destination data processing device, and storage medium
CN105553661A (en) * 2014-10-29 2016-05-04 航天信息股份有限公司 Key management method and apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110243332A1 (en) * 2010-03-30 2011-10-06 Shunsuke Akimoto Data processing system, data processing method, source data processing device, destination data processing device, and storage medium
CN101989991A (en) * 2010-11-24 2011-03-23 北京天地融科技有限公司 Method for importing secret keys safely, electronic signature tool, authentication device and system
CN105553661A (en) * 2014-10-29 2016-05-04 航天信息股份有限公司 Key management method and apparatus

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888381A (en) * 2017-11-09 2018-04-06 飞天诚信科技股份有限公司 A kind of implementation method of key importing, apparatus and system
CN109343515A (en) * 2018-11-30 2019-02-15 深圳市元征科技股份有限公司 Car fault diagnosis method, system, equipment and computer readable storage medium
CN110166236A (en) * 2019-05-31 2019-08-23 北京中金国信科技有限公司 Cipher key processing method, device and system and electronic equipment
CN110635901A (en) * 2019-09-11 2019-12-31 北京方研矩行科技有限公司 Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN110602140A (en) * 2019-09-29 2019-12-20 苏州思必驰信息科技有限公司 Encryption and decryption method and system for chip authorization
CN111031047B (en) * 2019-12-16 2022-08-12 中国南方电网有限责任公司 Device communication method, device, computer device and storage medium
CN111031047A (en) * 2019-12-16 2020-04-17 中国南方电网有限责任公司 Device communication method, device, computer device and storage medium
CN113010908B (en) * 2019-12-20 2023-11-14 紫光同芯微电子有限公司 Safe storage method suitable for large-capacity SIM card
CN113010908A (en) * 2019-12-20 2021-06-22 北京紫光青藤微系统有限公司 Safe storage method suitable for high-capacity SIM card
CN111241605A (en) * 2019-12-31 2020-06-05 航天信息股份有限公司 Safety storage device and method based on tax digital certificate
CN111414638B (en) * 2020-04-23 2023-03-24 飞天诚信科技股份有限公司 Method and device for realizing distinguishing key generation mode
CN111414638A (en) * 2020-04-23 2020-07-14 飞天诚信科技股份有限公司 Method and device for realizing distinguishing key generation mode
CN114244505A (en) * 2021-12-09 2022-03-25 武汉天喻信息产业股份有限公司 Safety communication method based on safety chip
CN114244505B (en) * 2021-12-09 2024-02-20 武汉天喻信息产业股份有限公司 Safety communication method based on safety chip

Also Published As

Publication number Publication date
CN107317677B (en) 2020-02-07

Similar Documents

Publication Publication Date Title
CN107317677A (en) Key storage and equipment identities authentication method, device
US11470054B2 (en) Key rotation techniques
US10404670B2 (en) Data security service
US8806200B2 (en) Method and system for securing electronic data
CA2899027C (en) Data security service
US9300639B1 (en) Device coordination
CN108737374A (en) The method for secret protection that data store in a kind of block chain
CN106059760B (en) A kind of cryptographic system from user terminal crypto module calling system private key
US20200082110A1 (en) Automatic key rotation
CN103378971B (en) A kind of data encryption system and method
CN109858255A (en) Data encryption storage method, device and realization device
CN103973698B (en) User access right revoking method in cloud storage environment
US11436351B1 (en) Homomorphic encryption of secure data
CN107040534B (en) A kind of communication encrypting method and system
EP4123486A1 (en) Systems and methods for improved researcher privacy in distributed ledger-based query logging systems
CN117272346A (en) Disk data access method, device, equipment and storage medium
Ramya User Level Runtime Security Auditing for the Cloud Using Aes
Pujol et al. A Secure and User Friendly Multi-Purpose Asymmetric Key Derivation System (MPKDS)
CN116132185A (en) Data calling method, system, device, equipment and medium
CN115086020A (en) Cloud evidence obtaining method and system and computer storage medium
CN103425786A (en) Method and device for storing data and device and method for accessing encrypted data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant