CN108141353A - The method and apparatus of cryptographic algorithm upgrading - Google Patents
The method and apparatus of cryptographic algorithm upgrading Download PDFInfo
- Publication number
- CN108141353A CN108141353A CN201580029236.0A CN201580029236A CN108141353A CN 108141353 A CN108141353 A CN 108141353A CN 201580029236 A CN201580029236 A CN 201580029236A CN 108141353 A CN108141353 A CN 108141353A
- Authority
- CN
- China
- Prior art keywords
- algorithm
- cascade
- cryptographic
- server
- upgrade package
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
Abstract
The embodiment of the invention discloses the method and relevant device of a kind of upgrading of cryptographic algorithm, for promoting the safety in cryptographic algorithm escalation process.Present invention method includes:Server sends cryptographic algorithm upgrade signal to equipment to be upgraded, after the connection request that equipment to be upgraded is sent is received, when the algorithm in determining target algorithm set is disabling algorithm, one or more target algorithms is selected to carry out cascade generation Cascade algorithms from target algorithm set, treating updating apparatus by the Cascade algorithms and cryptographic algorithm upgrade package carries out cryptographic algorithm upgrading.Because Cascade algorithms can effectively enhance the intensity of algorithm security, so as to effectively promote the safety in cryptographic algorithm escalation process.
Description
The present invention relates to the field of communications, and in particular, to a method for upgrading a cryptographic algorithm and a related device.
With the wide application of mobile terminals, the security of mobile terminals is increasingly required, and especially, applications such as instant messaging and mobile payment have strong security requirements. Various cryptographic algorithms are the core part for realizing security guarantee, support the normal operation of a security system, and are widely applied to various places of mobile terminals.
In the prior art, a general upgrading method of a mobile terminal is as follows: and the server issues the upgrade package, and the mobile terminal downloads the upgrade package and then carries out upgrade. And a password algorithm is used for safety protection in a plurality of links in the upgrading process.
However, the cryptographic algorithms used in the upgrade process may be unsafe algorithms, so that the unsafe cryptographic algorithms may be disabled when the cryptographic algorithms are upgraded, and when the cryptographic algorithms on the mobile terminal are all disabled, the server and the mobile terminal may still use the disabled cryptographic algorithms to protect the upgrade process in the cryptographic algorithm upgrade process, and since the algorithms are unsafe, the system may be attacked by malicious attacks such as eavesdropping, man-in-the-middle attacks, spoofing attacks, and the like.
Disclosure of Invention
The embodiment of the invention provides a method and related equipment for upgrading a cryptographic algorithm, which can effectively improve the security in the process of upgrading the cryptographic algorithm.
In a first aspect, an embodiment of the present invention provides a method for upgrading a cryptographic algorithm, including:
the server sends a cipher algorithm upgrading signal to the equipment to be upgraded, wherein the cipher algorithm upgrading signal is used for indicating that a cipher algorithm upgrading packet exists on the server; the method comprises the steps that a server receives a connection request sent by equipment to be upgraded, wherein the connection request comprises information of an existing algorithm of the equipment to be upgraded; when the algorithms in the target algorithm set are determined to be forbidden algorithms, the server selects one or more forbidden algorithms from the target algorithm set to carry out cascade connection so as to generate a cascade algorithm, wherein the target algorithm set is a set of algorithms in the existing algorithms; and the server carries out the cryptographic algorithm upgrading on the equipment to be upgraded through the cascade algorithm and the cryptographic algorithm upgrading packet.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the selecting, by the server, one or more forbidden algorithms from the target algorithm set to cascade to generate a cascade algorithm includes: the server acquires attribute information of a target algorithm in a target algorithm set; the server determines a disabling algorithm allowing cascade connection according to the attribute information; the server selects one or more cascading-enabled disabling algorithms to cascade to generate a cascading algorithm.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the method further includes: the server judges whether the target algorithm is the algorithm to be forbidden indicated in the upgrade package, and if so, the target algorithm is determined to be the forbidden algorithm; or the server determines whether the target algorithm is in a forbidden state according to the information of the existing algorithm, and if so, the server determines that the target algorithm is the forbidden algorithm.
With reference to the first aspect, the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the method further includes: the server sends a cascade instruction to the equipment to be upgraded so that the equipment to be upgraded generates a cascade algorithm according to the cascade instruction and the existing algorithm, and the cascade instruction is used for indicating the composition and the cascade mode of the cascade algorithm.
With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the existing algorithm of the device to be upgraded is an algorithm on a hardware accelerator of the device to be upgraded.
With reference to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the target algorithm set includes an https encryption algorithm set, the cascade algorithm includes a cascade https encryption algorithm, and the cascade indication includes a cascade https encryption algorithm indication; the step of the server performing the cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package comprises the following steps: the server establishes https secure connection with the equipment to be upgraded through a cascading https encryption algorithm; and the server sends a cryptographic algorithm upgrading packet to the equipment to be upgraded through https secure connection, and the cryptographic algorithm upgrading packet is encrypted by a cascading https encryption algorithm so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
With reference to the fourth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the target algorithm set includes an https signature algorithm set, the cascade algorithm includes a cascade https signature algorithm, and the cascade instruction includes a cascade https signature algorithm instruction; the step of the server performing the cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package comprises the following steps: the server establishes https secure connection with the equipment to be upgraded through a cascading https signature algorithm; and the server sends a cryptographic algorithm upgrading packet to the equipment to be upgraded through https secure connection so that the equipment to be upgraded performs cryptographic algorithm upgrading.
With reference to the fourth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the target algorithm set includes an integrity algorithm set, the cascade algorithm includes a cascade integrity algorithm, and the cascade indication includes a cascade integrity algorithm indication; the server upgrades the equipment to be upgraded by the cascade algorithm and the cryptographic algorithm upgrading packet by the cryptographic algorithm comprises the following steps: the server establishes https secure connection with the equipment to be upgraded through a cascade integrity algorithm; and the server sends a cryptographic algorithm upgrading packet to the equipment to be upgraded through https secure connection, and the cryptographic algorithm upgrading packet is subjected to integrity protection by a cascade integrity algorithm so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
With reference to the fourth possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, the target algorithm set includes an upgrade package signature algorithm set, the cascade algorithm includes a cascade upgrade package signature algorithm, and the cascade instruction includes a cascade upgrade package signature algorithm instruction; the step of the server performing the cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package comprises the following steps: the server signs the cryptographic algorithm upgrade package through a cascade upgrade package signature algorithm; and the server sends a cryptographic algorithm upgrading packet to the equipment to be upgraded, wherein the cryptographic algorithm upgrading packet comprises a cascading upgrading packet signature algorithm indication, so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
With reference to the fourth possible implementation manner of the first aspect, in a ninth possible implementation manner of the first aspect, the server selects a target hash algorithm from existing algorithms; the server hashes the upgrade package through a target hash algorithm to obtain a hash value of the cipher algorithm upgrade package; the server signs the cryptographic algorithm upgrade package through the cascade signature algorithm, and the signing comprises the following steps: and the server signs the hash value of the cryptographic algorithm upgrading packet through a cascade signature algorithm.
With reference to the fourth possible implementation manner of the first aspect, in a tenth possible implementation manner of the first aspect, the target algorithm set includes an upgrade packet hash algorithm set, the cascade algorithm includes a cascade upgrade packet hash algorithm, and the cascade algorithm indication includes a cascade upgrade packet hash algorithm indication; the step of the server performing the cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package comprises the following steps: the server hashes the cipher algorithm upgrading packet through a cascading upgrading packet hash algorithm to obtain a hash value of the cipher algorithm upgrading packet; the server sends a cipher algorithm upgrading packet and a Hash value to the equipment to be upgraded, wherein the cipher algorithm upgrading packet comprises a cascading upgrading packet Hash algorithm indication, so that the equipment to be upgraded is subjected to cipher algorithm upgrading.
With reference to the fourth possible implementation manner of the first aspect, in an eleventh possible implementation manner of the first aspect, the target algorithm set includes an upgrade package encryption algorithm set, the cascade algorithm includes a cascade upgrade package encryption algorithm, and the cascade algorithm indication includes a cascade upgrade package encryption algorithm indication; the step of the server performing the cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package comprises the following steps: the server encrypts the cipher algorithm upgrading packet through a cascade upgrading packet encryption algorithm; and the server sends a cryptographic algorithm upgrading packet to the equipment to be upgraded, wherein the cryptographic algorithm upgrading packet comprises a cascading upgrading packet encryption algorithm indication, so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
In a second aspect, an embodiment of the present invention provides a method for upgrading a cryptographic algorithm, including:
the equipment to be upgraded detects a cryptographic algorithm upgrading signal sent by the server, and the cryptographic algorithm upgrading signal is used for indicating that a cryptographic algorithm upgrading packet exists on the server; the method comprises the steps that equipment to be upgraded sends a connection request to a server, wherein the connection request contains information of an existing algorithm of the equipment to be upgraded, the connection request is used for enabling the server to generate a cascade algorithm according to the existing algorithm, and the cascade algorithm is an algorithm for cascade generation of one or more forbidden algorithms allowing cascade in the existing algorithm; and the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cascade algorithm and the cryptographic algorithm upgrade packet.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the method further includes: the method comprises the steps that equipment to be upgraded receives a cascading instruction sent by a server, wherein the cascading instruction is used for indicating the composition and the cascading mode of a cascading algorithm; and the equipment to be upgraded generates a cascade algorithm according to the cascade instruction and the existing algorithm.
With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the existing algorithm is an algorithm on a hardware accelerator of the device to be upgraded.
With reference to the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the cascade algorithm includes a cascade https encryption algorithm, and the cascade indication includes a cascade https encryption algorithm indication; the password algorithm upgrading of the device to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises: the method comprises the steps that https safe connection is established between equipment to be upgraded and a server through a cascading https encryption algorithm; the equipment to be upgraded receives a cryptographic algorithm upgrading packet sent by the server through https secure connection, and the cryptographic algorithm upgrading packet is encrypted by a cascading https encryption algorithm; the equipment to be upgraded decrypts the cryptographic algorithm upgrading packet according to the cascade https encryption algorithm; and the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
With reference to the second possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the cascade algorithm includes a cascade https signature algorithm, and the cascade indication includes a cascade https signature algorithm indication; the password algorithm upgrading of the device to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises: establishing https secure connection between the device to be upgraded and the server through a cascading https signature algorithm; the equipment to be upgraded receives a cryptographic algorithm upgrading packet sent by the server through https secure connection; and the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
With reference to the second possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the cascade algorithm includes a cascade integrity algorithm, and the cascade indication includes a cascade integrity algorithm indication; the password algorithm upgrading of the device to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises: establishing https secure connection between the equipment to be upgraded and the server through a cascade integrity algorithm; the equipment to be upgraded receives a cryptographic algorithm upgrading packet sent by the server through https secure connection, and the cryptographic algorithm upgrading packet is subjected to integrity protection through a cascade integrity algorithm; the equipment to be upgraded carries out integrity check on the cryptographic algorithm upgrading packet according to the cascade integrity algorithm; and if the verification is passed, the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
With reference to the second possible implementation manner of the second aspect, in a sixth possible implementation manner of the second aspect, the cascade algorithm includes a cascade upgrade package signature algorithm, and the cascade indication includes a cascade upgrade package signature algorithm indication; the password algorithm upgrading of the equipment to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises the following steps: the method comprises the steps that equipment to be upgraded receives a cryptographic algorithm upgrade packet sent by a server, wherein the cryptographic algorithm upgrade packet comprises a cascading upgrade packet signature algorithm indication; the equipment to be upgraded performs signature verification on the cryptographic algorithm upgrading packet through a cascade signature algorithm; if the verification is successful, the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
With reference to the second possible implementation manner of the second aspect, in a seventh possible implementation manner of the second aspect, the cascade algorithm includes a cascade upgrade packet hash algorithm, and the cascade indication includes a cascade upgrade packet hash algorithm indication; the password algorithm upgrading of the equipment to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises the following steps: the method comprises the steps that equipment to be upgraded receives a cryptographic algorithm upgrade package and a hash value of the cryptographic algorithm upgrade package sent by a server, wherein the cryptographic algorithm upgrade package comprises a cascading upgrade package hash algorithm indication; the equipment to be upgraded performs Hash check on the cryptographic algorithm upgrading packet through a cascading Hash algorithm and a Hash value; if the verification is successful, the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
With reference to the second possible implementation manner of the second aspect, in an eighth possible implementation manner of the second aspect, the cascade algorithm includes a cascade upgrade package encryption algorithm, and the cascade indication includes a cascade upgrade package encryption algorithm indication; the password algorithm upgrading of the equipment to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises the following steps: the method comprises the steps that equipment to be upgraded receives a cryptographic algorithm upgrading packet sent by a server, wherein the cryptographic algorithm upgrading packet comprises a cascading upgrading packet encryption algorithm indication; the equipment to be upgraded decrypts the cryptographic algorithm upgrading packet through the cascade encryption algorithm; and the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
In a third aspect, an embodiment of the present invention provides a server, including:
the device comprises a sending unit, a receiving unit and a processing unit, wherein the sending unit is used for sending a cryptographic algorithm upgrading signal to equipment to be upgraded, and the cryptographic algorithm upgrading signal is used for indicating that a cryptographic algorithm upgrading packet exists on a server; the device comprises a receiving unit, a judging unit and a judging unit, wherein the receiving unit is used for receiving a connection request sent by the device to be upgraded, and the connection request comprises the information of the existing algorithm of the device to be upgraded; the processing unit is used for selecting one or more forbidden algorithms from the target algorithm set to be cascaded to generate a cascaded algorithm when the algorithms in the target algorithm set are all forbidden algorithms, wherein the target algorithm set is a set of algorithms in the existing algorithms; and then, the equipment to be upgraded is subjected to cryptographic algorithm upgrading through the cascade algorithm and the cryptographic algorithm upgrading packet.
With reference to the third aspect, in a first possible implementation manner of the third aspect, the processing unit is specifically configured to obtain attribute information of a target algorithm in the target algorithm set, determine, according to the attribute information, a forbidden algorithm that allows cascading, and select one or more forbidden algorithms that allow cascading to perform cascading to generate a cascading algorithm.
With reference to the third aspect, in a second possible implementation manner of the third aspect, the processing unit is further configured to determine whether the target algorithm is an algorithm to be disabled indicated in the upgrade package, and if so, determine that the target algorithm is a disabled algorithm; or, the method is further used for determining whether the target algorithm is in a disabled state according to the information of the existing algorithm, and if so, determining that the target algorithm is the disabled algorithm.
With reference to the third aspect, the first possible implementation manner of the third aspect, or the second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the sending unit is further configured to send a cascade instruction to the device to be upgraded, so that the device to be upgraded generates a cascade algorithm according to the cascade instruction and an existing algorithm, where the cascade instruction is used to indicate a configuration and a cascade manner of the cascade algorithm.
With reference to the third possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect, if the target algorithm set includes an https encryption algorithm set, the cascade algorithm includes a cascade https encryption algorithm, and the cascade indication includes a cascade https encryption algorithm indication; the processing unit is specifically used for establishing https secure connection with the equipment to be upgraded through a cascade https encryption algorithm; and the sending unit is also used for sending a cryptographic algorithm upgrading packet to the equipment to be upgraded through https secure connection, wherein the cryptographic algorithm upgrading packet is encrypted by a cascading https encryption algorithm.
With reference to the third possible implementation manner of the third aspect, in a fifth possible implementation manner of the third aspect, if the target algorithm set includes an https signature algorithm set, the cascade algorithm includes a cascade https signature algorithm, and the cascade instruction includes a cascade https signature algorithm instruction; the processing unit is specifically used for establishing https secure connection with the equipment to be upgraded through a cascading https signature algorithm; and the sending unit is also used for sending the cryptographic algorithm upgrading packet to the equipment to be upgraded through https secure connection.
With reference to the third possible implementation manner of the third aspect, in a sixth possible implementation manner of the third aspect, if the target algorithm set includes the integrity algorithm set, the cascade algorithm includes a cascade integrity algorithm, and the cascade indication includes a cascade integrity algorithm indication; the processing unit is specifically used for establishing https secure connection with the equipment to be upgraded through a cascade integrity algorithm; and the sending unit is also used for sending a cryptographic algorithm upgrading packet to the equipment to be upgraded through https secure connection, and the cryptographic algorithm upgrading packet is subjected to integrity protection by a cascade integrity algorithm.
With reference to the third possible implementation manner of the third aspect, in a seventh possible implementation manner of the third aspect, if the target algorithm set includes the upgrade package signature algorithm set, the cascade algorithm includes a cascade upgrade package signature algorithm, and the cascade instruction includes a cascade upgrade package signature algorithm instruction; the processing unit is specifically used for signing the cryptographic algorithm upgrade package through a cascade upgrade package signature algorithm; and the sending unit is also used for sending a cryptographic algorithm upgrading packet to the equipment to be upgraded, wherein the cryptographic algorithm upgrading packet comprises a cascading upgrading packet signature algorithm indication.
With reference to the seventh possible implementation manner of the third aspect, in an eighth possible implementation manner of the third aspect, the processing unit is further configured to select a target hash algorithm from existing algorithms; hashing the upgrade package through a target hashing algorithm to obtain a hashing value of the cipher algorithm upgrade package; the processing unit signs the cryptographic algorithm upgrade package through the cascade upgrade package signature algorithm, specifically, signs the hash value of the cryptographic algorithm upgrade package through the cascade signature algorithm.
With reference to the third possible implementation manner of the third aspect, in a ninth possible implementation manner of the third aspect, if the target algorithm set includes an upgrade packet hash algorithm set, the cascade algorithm includes a cascade upgrade packet hash algorithm, and the cascade algorithm indication includes a cascade upgrade packet hash algorithm indication; the processing unit is specifically further configured to hash the cryptographic algorithm upgrade package through a cascade upgrade package hash algorithm to obtain a hash value of the cryptographic algorithm upgrade package; and the sending unit is also used for sending a cryptographic algorithm upgrading packet and a hash value to the equipment to be upgraded, wherein the cryptographic algorithm upgrading packet comprises a cascading upgrading packet hash algorithm indication.
With reference to the third possible implementation manner of the third aspect, in a tenth possible implementation manner of the third aspect, if the target algorithm set includes an upgrade package encryption algorithm set, the cascade algorithm includes a cascade upgrade package encryption algorithm, and the cascade algorithm indication includes a cascade upgrade package encryption algorithm indication; the processing unit is specifically further configured to encrypt the cryptographic algorithm upgrade package by a cascade upgrade package encryption algorithm; and the sending unit is also used for sending a cryptographic algorithm upgrading packet to the equipment to be upgraded, wherein the cryptographic algorithm upgrading packet comprises a cascading upgrading packet encryption algorithm indication.
In a fourth aspect, an embodiment of the present invention provides a mobile terminal, including:
the processing unit is used for detecting a cryptographic algorithm upgrading signal sent by the server, and the cryptographic algorithm upgrading signal is used for indicating that a cryptographic algorithm upgrading packet exists on the server; the device comprises a sending unit, a receiving unit and a processing unit, wherein the sending unit is used for sending a connection request to a server, the connection request comprises information of an existing algorithm of equipment to be upgraded, the connection request is used for enabling the server to generate a cascade algorithm according to the existing algorithm, and the cascade algorithm is an algorithm for cascade generation of one or more forbidden algorithms allowing cascade in the existing algorithm; and the processing unit is also used for carrying out the cryptographic algorithm upgrading according to the cascade algorithm and the cryptographic algorithm upgrading packet.
With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the mobile terminal further includes: the receiving unit is used for receiving the cascading instruction sent by the server, and the cascading instruction is used for indicating the composition and the cascading mode of the cascading algorithm; and the processing unit is also used for generating a cascade algorithm according to the cascade indication and the existing algorithm.
With reference to the first possible implementation manner of the fourth aspect, in a second possible implementation manner of the fourth aspect, if the cascade algorithm includes a cascade https encryption algorithm, the cascade indication includes a cascade https encryption algorithm indication; the processing unit is specifically used for establishing https secure connection with the server through a cascading https encryption algorithm; the receiving unit is also used for receiving a cryptographic algorithm upgrading packet sent by the server through https secure connection, and the cryptographic algorithm upgrading packet is encrypted by a cascading https encryption algorithm; and the processing unit is specifically used for decrypting the cryptographic algorithm upgrading packet according to the cascading https encryption algorithm and then upgrading the cryptographic algorithm according to the cryptographic algorithm upgrading packet.
With reference to the first possible implementation manner of the fourth aspect, in a third possible implementation manner of the fourth aspect, if the cascade algorithm further includes a cascade https signature algorithm, the cascade instruction further includes a cascade https signature algorithm instruction; the processing unit is specifically used for establishing https secure connection with the server through a cascading https signature algorithm; the receiving unit is also used for receiving a cryptographic algorithm upgrading packet sent by the server through https secure connection; and the processing unit is specifically used for carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
With reference to the first possible implementation manner of the fourth aspect, in a fourth possible implementation manner of the fourth aspect, if the cascade algorithm includes a cascade integrity algorithm, the cascade indication includes a cascade integrity algorithm indication; the processing unit is specifically used for establishing https secure connection with the server through a cascade integrity algorithm; the receiving unit is also used for receiving a cryptographic algorithm upgrading packet sent by the server through https secure connection, and the cryptographic algorithm upgrading packet is subjected to integrity protection through a cascade integrity algorithm; the processing unit is specifically used for carrying out integrity check on the cryptographic algorithm upgrading packet according to the cascade integrity algorithm; and if the verification is passed, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
With reference to the first possible implementation manner of the fourth aspect, in a fifth possible implementation manner of the fourth aspect, if the cascade algorithm includes a cascade upgrade package signature algorithm, the cascade instruction includes a cascade upgrade package signature algorithm instruction; the receiving unit is also used for receiving a cryptographic algorithm upgrading packet sent by the server, and the cryptographic algorithm upgrading packet comprises a cascading upgrading packet signature algorithm indication; the processing unit is specifically used for carrying out signature verification on the cryptographic algorithm upgrade package through a cascade signature algorithm; and if the verification is successful, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
With reference to the first possible implementation manner of the fourth aspect, in a sixth possible implementation manner of the fourth aspect, if the cascade algorithm includes a cascade upgrade packet hash algorithm, the cascade indication includes a cascade upgrade packet hash algorithm indication; the receiving unit is also used for receiving the cryptographic algorithm upgrading packet and the hash value of the cryptographic algorithm upgrading packet sent by the server, and the cryptographic algorithm upgrading packet comprises a cascading upgrading packet hash algorithm indication; the processing unit is specifically used for carrying out Hash check on the cryptographic algorithm upgrading packet through a cascade Hash algorithm and a Hash value; and if the verification is successful, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
With reference to the first possible implementation manner of the fourth aspect, in a seventh possible implementation manner of the fourth aspect, if the cascade algorithm includes a cascade upgrade package encryption algorithm, the cascade indication includes a cascade upgrade package encryption algorithm indication; the receiving unit is also used for receiving a cryptographic algorithm upgrading packet sent by the server, wherein the cryptographic algorithm upgrading packet comprises a cascading upgrading packet encryption algorithm indication; the processing unit is specifically used for decrypting the cryptographic algorithm upgrading packet through the cascade encryption algorithm; and then, carrying out password algorithm upgrading according to the password algorithm upgrading packet.
According to the technical scheme, the scheme of the embodiment of the invention has the following beneficial effects:
in the embodiment of the invention, a server sends a cryptographic algorithm upgrading signal to equipment to be upgraded, and when the algorithms in a target algorithm set are determined to be all forbidden algorithms after a connection request sent by the equipment to be upgraded is received, the server does not directly select the forbidden algorithms and the equipment to be upgraded for cryptographic algorithm upgrading, but selects one or more target algorithms from the target algorithm set for cascade connection to generate a cascade algorithm, and performs cryptographic algorithm upgrading on the equipment to be upgraded through the cascade algorithm and a cryptographic algorithm upgrading packet. The cascade algorithm can effectively enhance the safety intensity of the algorithm, so that the safety of the cryptographic algorithm in the upgrading process can be effectively improved.
FIG. 1 is a signaling flow diagram of a cryptographic algorithm upgrade process of a mobile terminal in an embodiment of the present invention;
FIG. 2 is a flowchart of a cryptographic algorithm upgrading method in an embodiment of the present invention;
FIG. 3 is another flowchart of a cryptographic algorithm upgrading method in an embodiment of the present invention;
FIG. 4 is another flowchart of a cryptographic algorithm upgrading method in an embodiment of the present invention;
FIG. 5 is another flowchart of a cryptographic algorithm upgrading method in an embodiment of the present invention;
FIG. 6 is another flowchart of a cryptographic algorithm upgrading method in an embodiment of the present invention;
FIG. 7 is another flowchart of a cryptographic algorithm upgrading method in an embodiment of the present invention;
FIG. 8 is another flowchart of a cryptographic algorithm upgrading method in an embodiment of the present invention;
FIG. 9 is another flowchart of a cryptographic algorithm upgrading method in an embodiment of the present invention;
FIG. 10 is a block diagram of a server according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of another modular structure of a server in an embodiment of the invention;
FIG. 12 is a schematic diagram of another modular structure of a server in an embodiment of the invention;
FIG. 13 is a schematic diagram of another modular structure of a server in an embodiment of the invention;
fig. 14 is a schematic diagram of a modular structure of a mobile terminal according to an embodiment of the present invention;
fig. 15 is a schematic diagram of another modular structure of the mobile terminal according to the embodiment of the present invention;
fig. 16 is a schematic diagram of another modular structure of the mobile terminal according to the embodiment of the present invention;
FIG. 17 is a diagram illustrating another hardware configuration of a server according to an embodiment of the present invention;
fig. 18 is a schematic diagram of another hardware structure of the mobile terminal in the embodiment of the present invention.
The embodiment of the invention provides a method for upgrading a cryptographic algorithm, which is used for improving the safety of the cryptographic algorithm in the upgrading process. The following are detailed below.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The cryptographic algorithm upgrading method in the embodiment of the invention can be applied to a mobile terminal, and can also be applied to upgrading processes and applications which need to enhance the strength of the cryptographic algorithm, such as a communication base station based on an ARM platform, a vehicle-mounted system and the like.
In a plurality of links of the mobile terminal cryptographic algorithm in the upgrading process, the cryptographic algorithm is used for security protection, and the process of upgrading the cryptographic algorithm of the mobile terminal is described in detail below with reference to fig. 1.
101. The mobile terminal keeps connection with the server and detects whether the server sends an upgrading signal, if the mobile terminal detects the upgrading signal sent by the server, the mobile terminal sends an upgrading request to the server and sends a self-supported cryptographic algorithm.
102. The server selects a cryptographic algorithm which is needed to be used when https secure connection is established and an upgrade packet is sent from cryptographic algorithms supported by the mobile terminal, and the cryptographic algorithm comprises the following steps: https encryption algorithm, integrity algorithm and https signature algorithm used in the https secure connection process; an upgrade package signature algorithm, an upgrade package hash algorithm and an upgrade package encryption algorithm for protecting the upgrade package.
103. The server encrypts and sends the information of the selected cryptographic algorithm to the mobile terminal by using the public key of the mobile terminal, and sends the certificate of the server to the mobile terminal, wherein the certificate comprises the public key of the server.
104. The mobile terminal decrypts the algorithm selected by the server by using the private key;
105. the mobile terminal generates a random number key;
106. the mobile terminal encrypts the random number key by using the https signature algorithm, encrypts the random number key by using the public key of the server, and encrypts the handshake message by using the https encryption algorithm and the integrity algorithm.
107. The mobile terminal sends the random number key and the handshake message to the server.
108. The server decrypts by using a private key and an https signature algorithm to obtain the random number key, decrypts by using the random number key and the https encryption algorithm to obtain handshake messages, and performs integrity verification on the handshake messages by using an integrity algorithm.
109. The server then encrypts a handshake message using the https encryption algorithm and the key, and encrypts the handshake message using the integrity algorithm.
110. And sending the handshake message to the mobile terminal.
111. The mobile terminal decrypts the handshake message by using the https encryption algorithm and the key, and verifies the integrity of the handshake message by using the integrity algorithm. The server and the mobile terminal are successfully handshake, https connection between the server and the mobile terminal is established, data communication between the subsequent server and the mobile terminal is encrypted and communicated by using an https encryption algorithm, and meanwhile integrity of communication data is protected by using an integrity algorithm.
112. The server signs the upgrade package using the upgrade package signing algorithm selected in step 102, hashes the upgrade package using the upgrade package hashing algorithm, and encrypts the upgrade package using the upgrade package encryption algorithm.
113. And the server sends the upgrade package to the mobile terminal through https secure connection.
114. The mobile terminal verifies and signs the upgrade package by using the upgrade package signature algorithm, performs hash verification on the upgrade package by using a hash algorithm, and decrypts the upgrade package by using an encryption algorithm to obtain the upgrade package.
115. And the mobile terminal carries out password algorithm upgrading according to the upgrading packet.
But the cryptographic algorithms used in the upgrading process may have been disabled due to security problems, and in order to avoid the potential safety hazard caused by using these disabled algorithms, these disabled algorithms are used in cascade to improve the security in the cryptographic algorithm upgrading process.
In the embodiment of the present invention, the following cryptographic algorithms used in the embodiment shown in fig. 1 are used to illustrate the cascade use of the forbidden algorithm in the cryptographic algorithm upgrading process: https encryption algorithm, integrity algorithm, https signature algorithm used in the https secure connection process, upgrade package signature algorithm, upgrade package hash algorithm, and upgrade package encryption algorithm for protecting the upgrade package. However, other cryptographic algorithms may be used for protection during the cryptographic algorithm upgrade process, and it is understood that other cryptographic algorithms may also be used in cascade using the scheme of the present invention.
The following describes a method for using a cryptographic algorithm cascade in an embodiment of the present invention.
With reference to fig. 2, an upgrading method for a cryptographic algorithm in the embodiment of the present invention includes:
201. the server sends a cryptographic algorithm upgrading signal to the equipment to be upgraded;
when the cryptographic algorithm upgrading packet exists on the server, the server broadcasts upgrading information to the equipment to be upgraded at a proper time according to the requirement. The automatic detection program of the equipment to be upgraded periodically checks whether the servers of the equipment manufacturer and the service operator have the cryptographic algorithm upgrading packets, and if the upgrading packets are detected, a connection request is sent to the servers.
It should be noted that, in the embodiment of the present invention, the device to be upgraded may be a mobile terminal, and may also be a communication base station based on an ARM platform, a vehicle-mounted system, and other devices that need to enhance the strength of the cryptographic algorithm, which is not specifically limited herein.
202. The method comprises the steps that a server receives a connection request sent by equipment to be upgraded;
after the mobile terminal sends a connection request to the server, the server receives the connection request of the mobile terminal, and the request carries the existing cryptographic algorithm information of the mobile terminal, namely the cryptographic algorithm information supported by the mobile terminal.
203. When the algorithms in the target algorithm set are determined to be forbidden algorithms, the server selects one or more forbidden algorithms from the target algorithm set to carry out cascade connection so as to generate a cascade algorithm;
after the server obtains the existing cryptographic algorithm information of the mobile terminal from the request sent by the mobile terminal, a certain type of algorithm which needs to be used in the process of protecting the cryptographic algorithm upgrading is selected from the algorithms, the algorithm of the type selected by the server is called a target algorithm set, and the target algorithm set can only contain one algorithm or can contain a plurality of algorithms.
It should be noted that, in practical applications, in the process of upgrading the protection cryptographic algorithm, the server generally uses not only one type of algorithm, but also multiple types of algorithms, so that the server may select multiple types of algorithms, and in the embodiment of the present invention, the server selects one type of algorithm among the algorithms as an example for description.
An algorithm state list is stored in both the mobile terminal and the server, and the algorithm state list contains available or forbidden information of the existing algorithm of the mobile terminal. If the algorithm is available, the algorithm is indicated to be a safe algorithm, and the algorithm can be selected to protect the upgrading process of the cryptographic algorithm; if the algorithm is forbidden, the algorithm is an unsafe algorithm which is already cracked by an attacker or has some safety problems, and if the algorithm is directly used for protecting password upgrading, potential safety hazards exist.
After the server determines a target algorithm set, an available algorithm protection upgrading process is selected from the target algorithm set, if algorithms in the target algorithm set are all forbidden algorithms, the server selects one or more forbidden algorithm cascades according to the self characteristics of the forbidden algorithms to generate a cascade algorithm. For example: if the server selects the disabling algorithm E1, then E1 may be cascaded multiple times with E1; if the server selects the disabling algorithms E1 and E2, E1 may be concatenated with E2.
It should be noted that the algorithm cascade is the prior art, and can improve the security strength of the cryptographic algorithm, and the following description is made by using cascade encryption:
concatenated encryption refers to encrypting one message with algorithm E1 and key KE1, and then with algorithm E2 and key KE2, where the algorithm may be extended to multiple ones. For cascade multiple encryption, there are research results that show that if all multiple keys are independent of each other, the cascade resistance to decoding is at least as strong as the first algorithm in the cascade; more specifically: with a chosen-plaintext attack, the concatenated encryption is at least harder to decipher than its constituent parts. Therefore, the cascade encryption basically meets the requirement of increasing the strength.
Specifically, the concatenated encryption process is:
the cascade decryption process is as follows:
the keys used by the algorithms must be independent of each other, so that the key length can be increased, and the security is enhanced. The research result shows that: if the packet length in the cascade cipher is m bits, the key length is k bits, and the number of the cascade ciphers is l, the only solution distance of the cascade cipher is lk/m. Generally, the longer the unique solution distance, the better the cryptographic system. If lk < ═ 2m, then the concatenated cipher will most likely have 2lk different mappings. This means that 2lk attempts are required to exhaustively attack the concatenated cipher.
204. And the server carries out the cryptographic algorithm upgrading on the equipment to be upgraded through the cascade algorithm and the cryptographic algorithm upgrading packet.
After the server cascades the forbidden algorithm to generate the cascade algorithm, the mobile terminal is upgraded by using a cryptographic algorithm upgrade package existing on the server, and the cascade algorithm generated by the server is used for protection in the upgrading process.
In the embodiment of the invention, a server sends a cipher algorithm upgrading signal to a mobile terminal, and after a connection request sent by the mobile terminal is received, when the algorithms in a target algorithm set are all forbidden algorithms, the server does not directly select the forbidden algorithms and the mobile terminal to carry out cipher algorithm upgrading, but selects one or more target algorithms from the target algorithm set to carry out cascade connection to generate a cascade algorithm, and carries out cipher algorithm upgrading on the mobile terminal through the cascade algorithm and a cipher algorithm upgrading packet. The cascade algorithm can effectively enhance the safety intensity of the algorithm, so that the safety of the cryptographic algorithm in the upgrading process can be effectively improved.
In the existing algorithms of the mobile device, not all algorithms are allowed to be cascaded, so when the server selects the algorithm to be cascaded, the server needs to be cascaded according to the attribute of the algorithm, which allows the cascading. In practical applications, after the server selects the algorithm for cascading, the server needs to inform the mobile terminal of the selected algorithm and the cascading manner, which will be described in detail below.
With reference to fig. 3, an upgrading method for a cryptographic algorithm in the embodiment of the present invention includes:
301. the server sends a cryptographic algorithm upgrading signal to the equipment to be upgraded;
there are two existing forms of cryptographic algorithms for mobile terminals: an algorithm on a cryptographic hardware accelerator and a software-implemented algorithm, wherein the cryptographic hardware accelerator is: the cipher algorithm module is provided with a special hardware accelerator which is correspondingly arranged aiming at each cipher algorithm so as to improve the operation speed.
The upgrade of cryptographic algorithms involves two cases: 1) disabling algorithms on the hardware accelerator; or, 2) adding a software implemented algorithm.
When the server decides to disable a cryptographic algorithm on a hardware accelerator or add a software implemented algorithm, an upgrade signal is sent to the mobile terminal. The automatic detection program of the mobile terminal periodically checks whether the server of the equipment manufacturer and the service operator has an upgrade signal, and when the mobile terminal detects the upgrade signal, a connection request is sent to the server.
302. The method comprises the steps that a server receives a connection request sent by equipment to be upgraded;
after the mobile terminal sends a connection request to the server, the server receives the connection request of the mobile terminal, and the request carries cryptographic algorithm information supported by the mobile terminal, namely the existing cryptographic algorithm information.
When software of the mobile terminal is upgraded (for example, cipher algorithm upgrading), various cipher algorithms are required to be used for protection, and usually, each cipher hardware accelerator is called to accelerate each cipher algorithm so as to improve the operation speed. Therefore, in the embodiment of the present invention, the cryptographic algorithm carried in the connection request sent by the mobile terminal is an algorithm on a cryptographic hardware accelerator of the mobile terminal.
303. When the algorithms in the target algorithm set are determined to be forbidden algorithms, the server acquires attribute information of the algorithms in the target algorithm set;
after the server obtains the cryptographic algorithm information on the hardware accelerator of the mobile terminal from the request sent by the mobile terminal, a certain type of algorithm needed to be used in the process of protecting the cryptographic algorithm upgrading is selected from the algorithms, the type of algorithm in the existing algorithms of the mobile terminal is called a target algorithm set, and the target algorithm set can only contain one algorithm or can contain a plurality of algorithms.
It should be noted that, in practical applications, in the process of upgrading the protection cryptographic algorithm, the server generally uses not only one type of algorithm, but also multiple types of algorithms, so that the server may select multiple types of algorithms, and in the embodiment of the present invention, the server selects one type of algorithm among the algorithms as an example for description.
An algorithm state list is stored in both the mobile terminal and the server, and the algorithm state list contains attribute information such as availability or forbiddance of the existing algorithm of the mobile terminal, whether cascading is allowed or not.
If the algorithm is available, the algorithm is indicated to be a safe algorithm, and the algorithm can be selected to protect the upgrading process of the cryptographic algorithm; if the algorithm is forbidden, the algorithm is an unsafe algorithm which is already cracked by an attacker or has some safety problems, and if the algorithm is directly used for protecting password upgrading, potential safety hazards exist.
If the algorithm allows cascading, the algorithm allows multiple cascading or the algorithm is combined with other algorithms to carry out cascading so as to improve the safety intensity of the algorithm. In addition, the specific cascading manner of the algorithms allowing cascading can be stored in the algorithm state list.
And after determining the target algorithm set, the server judges whether the algorithms in the target algorithm set are forbidden algorithms according to the available or forbidden attribute information in the algorithm state list.
The specific judgment method is as follows:
if the content of the password upgrade package of the server contains the disabled password algorithm A on one hardware accelerator, then A is the algorithm to be disabled, and when the server determines that the target algorithms in the target algorithm set are all disabled algorithms, if the target algorithm set contains the algorithm A to be disabled, then the algorithm A to be disabled is also regarded as the disabled algorithm.
If the content of the password upgrading packet of the server does not contain the password algorithm on the forbidden hardware accelerator, the server directly judges whether the target algorithms in the target algorithm set are in the forbidden state according to the algorithm state list of the existing algorithms, and then whether the algorithms in the target algorithm set are all the forbidden algorithms can be determined.
And if the server determines that the target algorithms in the target algorithm set are all forbidden algorithms, acquiring attribute information of whether cascading of the target algorithms is allowed from the algorithm state list.
304. The server determines a disabling algorithm allowing cascade connection according to the attribute information;
the server determines the disabled algorithm allowing cascading according to whether the target algorithm in the algorithm state list allows cascading.
305. The server selects one or more forbidden algorithms allowing cascade connection to carry out cascade connection to generate a cascade algorithm;
after determining the forbidden algorithm allowing cascade connection according to the allowed cascade connection attribute of the target algorithm in the algorithm state list, the server selects one or more forbidden algorithms allowing cascade connection to be cascaded to generate a cascade algorithm according to the characteristics of the algorithms or the specific cascade connection mode of the algorithms stored in the algorithm state list. For example: if the disabling algorithm E1 allows cascading, specifically, triple cascading of E1 and E1, the server may select E1, and generate a cascading algorithm after triple cascading of E1, and if the disabling algorithms E1, E2, and E3 allow cascading, specifically, cascade E1, E2, and E3, the server may select disabling algorithms E1, E2, and E3, and cascade E1, E2, and E3 to generate a cascading algorithm.
306. The server sends a cascade instruction to the equipment to be upgraded;
after the server selects the algorithm to cascade, a cascade instruction is sent to the mobile terminal, the cascade instruction is used for indicating the composition and the cascade mode of the cascade algorithm used by the server, so that the mobile terminal can select a corresponding algorithm from the algorithms of the cryptographic hardware accelerator according to the cascade instruction, and the cascade algorithm is generated according to the cascade mode in the cascade instruction, so that the mobile terminal can complete the upgrading process according to the specific algorithm and the server in a matching mode.
307. And the server upgrades the cryptographic algorithm of the mobile terminal through the cascade algorithm and the cryptographic algorithm upgrade package.
After the server cascades the forbidden algorithm to generate the cascade algorithm, the mobile terminal is upgraded by using the cipher algorithm upgrade package to realize the algorithm on the forbidden hardware accelerator or add the algorithm realized by software, and the cascade algorithm generated by the server is used for protection in the upgrading process.
In the embodiment of the invention, the password upgrading comprises forbidding a password algorithm on a hardware accelerator or adding a software-implemented algorithm, in the password upgrading process, the algorithm on the hardware accelerator of the mobile terminal is used for protecting the upgrading process, various deployed algorithms and accelerators thereof are fully utilized, the waste of hardware resources is avoided, and meanwhile, the strength of the password algorithm can be effectively enhanced.
Secondly, in the embodiment of the invention, whether the algorithm allows the cascading attribute is saved through the algorithm state list, and when the server selects the algorithm to carry out the cascading, the cascading is carried out according to the attribute of the algorithm, which allows the cascading, so that the realizability of the scheme is improved.
In addition, in the embodiment of the invention, after the server selects the algorithm for cascading, the server sends the cascading indication to inform the mobile terminal of the selected algorithm and the cascading mode so as to complete the upgrading protection process by matching with the server, thereby improving the realizability of the scheme.
In the specific implementation, in the cryptographic algorithm upgrading process, a cascade algorithm is mainly used to protect the upgrading process in two stages, namely, when https security connection is established, and when a server sends a cryptographic algorithm upgrading packet to a mobile terminal. These two scenarios are described in detail below.
Firstly, a cascading algorithm is used for protecting an upgrading process when https security connection is established.
Specifically, when https security connection is established, various types of cryptographic algorithms are required for protection, and several types of commonly used algorithms are described below: 1) https encryption algorithm; 2) an integrity protection algorithm; 3) https signature algorithm.
With reference to fig. 4, an upgrading method for a cryptographic algorithm in the embodiment of the present invention includes:
step 401 and step 402 are the same as step 301 and step 302 in the embodiment shown in fig. 3, and are not described herein again.
403. When the target algorithm set is determined to be forbidden algorithms, the server selects one or more forbidden algorithms from the target algorithm set to carry out cascade connection so as to generate a cascade algorithm;
the method comprises the following steps that a request sent by a mobile terminal to a server is a request for establishing https connection, the server obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the request, and then a plurality of target algorithm sets required to be used in the https connection establishing process are selected from the algorithms, and the method comprises the following steps: the https encryption algorithm set, the integrity protection algorithm set and the https signature algorithm set.
It should be noted that, in practical applications, in addition to selecting the https encryption algorithm set, the integrity protection algorithm set, and the https signature algorithm set, the server may also select other types of algorithm sets in the process of establishing the https connection, for example: the embodiments of the present invention take three types of algorithms commonly used in the https connection establishment process as an example, and when other types of algorithms are selected, the same manner in the embodiments of the present invention is also used for processing.
An algorithm state list is stored in both the mobile terminal and the server, and the algorithm state list contains attribute information such as availability or forbiddability of an existing algorithm on a hardware accelerator of the mobile terminal, whether cascading is allowed or not.
If the algorithm is available, the algorithm is indicated to be a safe algorithm, and the algorithm can be selected to protect the upgrading process of the cryptographic algorithm; if the algorithm is forbidden, the algorithm is an unsafe algorithm which is already cracked by an attacker or has some safety problems, and if the algorithm is directly used for protecting password upgrading, potential safety hazards exist.
If the algorithm allows cascading, the algorithm allows multiple cascading or the algorithm is combined with other algorithms to carry out cascading so as to improve the safety intensity of the algorithm. In addition, the specific cascading manner of the algorithms allowing cascading can be stored in the algorithm state list.
After determining the https encryption algorithm set, the integrity protection algorithm set and the https signature algorithm set, the server determines whether each type of algorithm has an algorithm with an available state according to available or forbidden attribute information in the algorithm state list, and if the algorithm with the available state exists, the server directly selects the algorithm with the available state. When all of one type of cryptographic algorithms are in a disabled state, one or more disabled cascading-enabled algorithms of the type are selected for cascading to generate a cascading algorithm.
For example: when all algorithms in the https encryption algorithm set are in a disabled state, one or more disabled algorithms are selected from the algorithms in the https encryption algorithm set to be cascaded to generate a cascaded https encryption algorithm, if available algorithms in the integrity protection algorithm set and the https signature algorithm set are selectable, an available integrity protection algorithm is selected from the integrity protection algorithm set, and an available https signature algorithm is selected from the https signature algorithm set.
404. The server establishes https secure connection with the equipment to be upgraded through a cascade algorithm;
in the algorithms that need to be used when the https secure connection is determined by the server, if at least one type of algorithm is a concatenation algorithm, then the https secure connection is established with the mobile terminal through the concatenation algorithms and another available algorithm that does not need to be concatenated, specifically, the establishment of the https secure connection is similar to steps 103 to 111 in the embodiment shown in fig. 1, and the following description will be given by taking as an example a case where all the algorithms that need to be used when the https secure connection is determined by the server are concatenation algorithms:
the server adopts a cascade https encryption algorithm, a cascade integrity algorithm and a cascade https signature algorithm to establish https connection with the mobile terminal, and the specific process is as follows:
1) the server encrypts and sends the cascade indication of the cascade https encryption algorithm, the cascade integrity algorithm and the cascade https signature algorithm to the mobile terminal by using the public key of the mobile terminal, the cascade indication is used for indicating the composition and the cascade mode of each cascade algorithm used by the server, and sends a certificate of the server to the mobile terminal, wherein the certificate comprises the public key of the server.
2) And the mobile terminal decrypts by using a private key to obtain the cascade https encryption algorithm indication, the cascade integrity algorithm indication and the cascade indication of the cascade https signature algorithm, selects a corresponding algorithm from the algorithms of the cryptographic hardware accelerator of the mobile terminal according to the cascade indications, and generates the corresponding cascade https encryption algorithm, the cascade integrity algorithm and the cascade https signature algorithm according to the cascade mode in the cascade indication.
3) The mobile terminal generates a random number key;
4) and the mobile terminal encrypts the random number key by using the cascading https signature algorithm, encrypts the random number key by using the public key of the server, and encrypts the handshake message by using the cascading https encryption algorithm and the cascading integrity algorithm.
5) And the mobile terminal sends the encrypted random number key and the encrypted handshake message to the server.
6) The server decrypts by using a private key, decrypts by using a cascade https signature algorithm to obtain the random number key, decrypts by using the random number key and a cascade https encryption algorithm to obtain handshake messages, and performs integrity verification on the handshake messages by using a cascade integrity algorithm.
7) And the server encrypts a section of handshake message by using the cascade https encryption algorithm and the key and encrypts the handshake message by using the cascade integrity algorithm.
8) And the server sends the encrypted handshake message to the mobile terminal.
9) And the mobile terminal decrypts the handshake message by using the cascade https encryption algorithm and the key, and verifies the integrity of the handshake message by using the cascade integrity algorithm. And the server and the mobile terminal are successfully handshake, and https connection between the server and the mobile terminal is successfully established.
405. And the server sends a cryptographic algorithm upgrading packet to the equipment to be upgraded through https secure connection.
After https secure connection is established between the server and the mobile terminal, communication data subsequently sent in the https secure transmission channel are encrypted by using an https encryption algorithm used when connection is established, and meanwhile integrity of the communication data is protected by using an integrity algorithm.
After https secure connection is established between the server and the mobile terminal, the server sends a cryptographic algorithm upgrade package to the mobile terminal through the https secure connection.
If the https encryption algorithm used when https secure connection is established is a cascade algorithm, the cryptographic algorithm upgrade packet is encrypted through the cascade https encryption algorithm, and if the integrity algorithm used when https connection is established is a cascade integrity algorithm, the integrity of the cryptographic algorithm upgrade packet in the transmission process is protected through the cascade integrity algorithm.
After the mobile terminal receives the cryptographic algorithm upgrading packet, the cryptographic algorithm upgrading packet is decrypted through the cascading https encryption algorithm, meanwhile, the integrity of the cryptographic algorithm upgrading packet is verified through the cascading integrity algorithm, and if the integrity of the cryptographic algorithm upgrading packet is verified, the cryptographic algorithm is upgraded through the cryptographic algorithm upgrading packet.
In practical applications, the https encryption algorithm may be a symmetric encryption algorithm, such as: for the AES algorithm, the integrity algorithm may be a hash algorithm plus a corresponding input key, and the signature algorithm may be an asymmetric algorithm, for example: the RSA algorithm. Among the various algorithms, some of the algorithms may be used in tandem to enhance the security of the cryptographic algorithm.
The https encryption algorithm is used in cascade as an example and is explained in detail below.
In practical application, the https encryption algorithm is a symmetric encryption algorithm, and may be symmetric algorithms such as AES, RC4, DES, AES, Serpent, or Twofish, and if the mobile terminal supports AES, RC4, DES, AES, Serpent, and Twofish algorithms, the server may determine that AES, RC4, DES, AES, Serpent, and Twofish are the target https encryption algorithm set.
If the server determines that the symmetric encryption algorithms are all forbidden algorithms according to the algorithm state list, the server determines DES, AES, Serpent and Twofish as algorithms allowing cascade connection according to the algorithm state list, wherein the specific cascade connection mode of DES is as follows: a block cipher is used for cascade connection, a group of plaintext is encrypted continuously and repeatedly under the action of different keys, and the 3DES encryption process comprises the following steps: c ═ Ek3(Dk2(Ek1(P))), and the 3DES decryption process is: p ═ Dk1(EK2(Dk3 (C))). The specific cascade mode of AES, Serpent and Twofish is as follows: AES-Twofosh or AES-Twofosh-SerpentSerpent-AES or Twofosh-Serpent or Serpent-Twofosh-AES. The server can select 3DES as a cascading https encryption algorithm, and can also select AES-Twofish or AES-Twofish-SerpentSerpent-AES or Twofish-Serpent or Serpent-Twofish-AES as a cascading https encryption algorithm.
In the embodiment of the invention, when https security connection is established, a server determines an https encryption algorithm set, an integrity protection algorithm set and an https signature algorithm set which need to be used, when all cryptographic algorithms in one type of algorithm set are in a forbidden state, one or more algorithms of the type can be selected to be cascaded to generate a cascading algorithm, and when other types of algorithms are selected, the same processing is carried out. Then establishing https secure connection with the mobile terminal through the cascaded algorithm, and sending a cryptographic algorithm upgrade package to the mobile terminal through the https secure connection. Therefore, the safety of the cryptographic algorithm in the upgrading process is improved.
And secondly, protecting the upgrading process by using a cascade algorithm when sending the cryptographic algorithm upgrading packet.
Specifically, when the cryptographic algorithm upgrade package is sent, multiple types of cryptographic algorithms need to be used to protect the cryptographic algorithm upgrade package, and several types of algorithms that are commonly used are described below: 1) upgrade package signature algorithm; 2) updating a packet hash algorithm; 3) and updating the package encryption algorithm.
With reference to fig. 5, an upgrading method for a cryptographic algorithm in the embodiment of the present invention includes:
step 501 and step 502 are the same as step 301 and step 302 in the embodiment shown in fig. 3, and are not described herein again.
It should be noted that, in the embodiment of the present invention, before the server sends the upgrade package to the mobile terminal, an https connection request may be established with the mobile terminal, and specifically, a process of establishing an https secure connection refers to the description in the embodiment shown in fig. 4.
503. When the target algorithm set is determined to be forbidden algorithms, the server selects one or more forbidden algorithms from the target algorithm set to carry out cascade connection so as to generate a cascade algorithm;
when the cryptographic algorithm upgrade package is sent, the server obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the connection request, and selects a plurality of target algorithm sets which need to be used when the cryptographic algorithm upgrade package is sent, wherein the target algorithm sets comprise: an upgrade package signature algorithm set, an upgrade package hash algorithm set and an upgrade package encryption algorithm set.
It should be noted that, in practical applications, in the process of sending the cryptographic algorithm upgrade package by the server, in addition to selecting the upgrade package signature algorithm set, the upgrade package hash algorithm set, and the upgrade package encryption algorithm set, other types of algorithm sets may also be selected, for example: and the integrity algorithm set and the like, in the embodiment of the present invention, three types of algorithms commonly used in the process of sending the cryptographic algorithm upgrade package are taken as examples for description, and when other types of algorithms are selected, the same manner in the embodiment of the present invention is also adopted for processing.
After determining the upgrade package signature algorithm set, the upgrade package hash algorithm set and the upgrade package encryption algorithm set, the server determines whether each type of algorithm has an algorithm with an available state according to available or forbidden attribute information in the algorithm state list, and if the algorithm with the available state exists, the server directly selects the algorithm with the available state. When all of one type of cryptographic algorithms are in a disabled state, one or more disabled cascading-enabled algorithms of the type are selected for cascading to generate a cascading algorithm.
For example: when all algorithms in the upgrade package signature algorithm set are in a disabled state, selecting one or more disabled algorithms from the algorithms in the upgrade package signature algorithm set to be cascaded to generate a cascaded upgrade package signature algorithm, and if available algorithms in the upgrade package hash algorithm set and the upgrade package encryption algorithm set are selectable, selecting one available upgrade package hash algorithm from the upgrade package hash algorithm set and selecting one available upgrade package encryption algorithm from the upgrade package encryption algorithm set.
504. The server protects the cryptographic algorithm upgrading packet through a cascade algorithm;
when the server determines algorithms required to be used when the cryptographic algorithm upgrading packet is sent, and at least one type of algorithm is a cascading algorithm, the upgrading packet is protected through the cascading algorithms and other available algorithms which do not need to be cascaded. The following specific manner of protecting the upgrade package is exemplified by taking the algorithm that the server determines to use when sending the upgrade package as the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm, and the cascade upgrade package encryption algorithm:
the server hashes the upgrade package through a cascade upgrade package hashing algorithm, signs the upgrade package through a cascade upgrade package signing algorithm, and encrypts the upgrade package through a cascade upgrade package encryption algorithm.
505. And the server sends a cryptographic algorithm upgrading packet to the equipment to be upgraded.
And after the server protects the cryptographic algorithm upgrading packet through the cascading algorithm, the server sends the cryptographic algorithm upgrading packet to the mobile terminal, wherein the cryptographic upgrading packet comprises cascading instructions of all cascading algorithms used by the server, and the cascading instructions are used for indicating the composition and the cascading mode of all the cascading algorithms used by the server.
After receiving the cryptographic algorithm upgrade package, the mobile terminal generates a corresponding cascade algorithm according to the cryptographic algorithm on the hardware accelerator through cascade instructions of all cascade algorithms.
If the server uses the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm and the cascade upgrade package encryption algorithm to protect the cipher algorithm upgrade package, the cascade signature algorithm can be generated according to the indication of the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm can be generated according to the indication of the cascade upgrade package hash algorithm, and the cascade upgrade package encryption algorithm can be generated according to the indication of the cascade upgrade package encryption algorithm. And then, the mobile terminal decrypts the upgrade package by using the cascade upgrade package encryption algorithm, performs signature verification on the upgrade package by using the cascade upgrade package signature algorithm, performs hash value verification on the upgrade package by using the cascade upgrade package hash algorithm, and performs cryptographic algorithm upgrade by using the cryptographic algorithm upgrade package if the verification is successful.
It should be noted that, in practical applications, when the server uses the cascade signature algorithm to sign the cryptographic algorithm upgrade package, the server first uses the hash algorithm to hash the cryptographic algorithm upgrade package to obtain a hash value, and then uses the cascade signature algorithm to sign the hash value, and if the target hash algorithm set is also all disabled algorithms, the server may also first use the cascade hash algorithm cryptographic algorithm upgrade package to hash to obtain the hash value, and then uses the cascade signature algorithm to sign the hash value.
In practical application, the upgrade package encryption algorithm may be a symmetric encryption algorithm or an asymmetric algorithm, and the upgrade package signature algorithm may be an asymmetric algorithm, for example: the RSA algorithm, the hash algorithm is a common hash function, and some algorithms can be used in cascade to enhance the security of the cryptographic algorithm.
The following description will be made in detail by taking the hash algorithm as an example for cascade use.
In practical applications, the hash algorithm may be MD5, SHA1, SHA256, or the like, and if the mobile terminal supports MD5, SHA1, and SHA256 algorithms, the server may determine that MD5, SHA1, and SHA256 are the target hash algorithm set.
If the server determines that the hash algorithms are forbidden algorithms according to the algorithm state list, the server determines that the MD5 and the SHA1 are algorithms allowing cascade connection according to the algorithm state list, and the specific cascade connection mode is as follows: the MD5 and SHA1 hash function cascade is used for generating the summary information, so that the reliability of the summary information is enhanced, and meanwhile, the counterfeiting difficulty is increased. For example, S may be hashed using the following mixing formula:
R=SHA1(MD5(S)+MD5(Salt))
here, Salt is set as a complex string, and an attacker can hardly crack the complex string by an exhaustive method without knowing Salt. Because even though S is simple, the values of Salt MD5 are hardly exhausted in a reasonable time.
The server may select MD5 and SHA1 for the cascaded concatenation to hash the cryptographic algorithm upgrade package.
In the embodiment of the invention, when the cryptographic algorithm upgrade package is sent, the upgrade package signature algorithm set, the upgrade package hash algorithm set and the upgrade package encryption algorithm set are determined to be used, when all cryptographic algorithms in one type of algorithm set are in a forbidden state, one or more algorithms of the type can be selected for cascade connection to generate a cascade algorithm, and when other types of algorithms are selected, the same processing is carried out. And then protecting the cryptographic algorithm upgrading packet through a cascaded algorithm, sending the cryptographic algorithm upgrading packet and a cascaded algorithm instruction to the mobile terminal, and upgrading the cryptographic algorithm by the mobile terminal according to the cascaded algorithm instruction and the cryptographic algorithm upgrading packet. Therefore, the safety of the cryptographic algorithm in the upgrading process is improved.
The above is the description of the cryptographic algorithm upgrading method from the server side, and the following is the description of the cryptographic algorithm upgrading method from the device side to be upgraded.
With reference to fig. 6, an upgrading method for a cryptographic algorithm in the embodiment of the present invention includes:
601. the equipment to be upgraded detects a cryptographic algorithm upgrading signal sent by a server;
when the cryptographic algorithm upgrading packet exists on the server, the server broadcasts upgrading information to the equipment to be upgraded at a proper time according to the requirement. The automatic detection program of the mobile terminal periodically checks whether a cryptographic algorithm upgrade package exists on the servers of the equipment manufacturer and the service operator.
The specific method of detection is prior art and will not be described in detail herein.
602. The equipment to be upgraded sends a connection request to the server;
and if the mobile terminal detects that the cryptographic algorithm upgrading packet exists on the server, sending a connection request to the server. The request carries the existing cryptographic algorithm information of the mobile terminal, namely the cryptographic algorithm information supported by the mobile terminal.
After the server obtains the existing cryptographic algorithm information of the mobile terminal from the request sent by the mobile terminal, a certain type of algorithm which needs to be used in the process of protecting the cryptographic algorithm upgrading is selected from the algorithms, the algorithm of the type selected by the server is called a target algorithm set, and the target algorithm set can only contain one algorithm or can contain a plurality of algorithms.
It should be noted that, in practical applications, in the process of upgrading the protection cryptographic algorithm, the server generally uses not only one type of algorithm, but also multiple types of algorithms, so that the server may select multiple types of algorithms, and in the embodiment of the present invention, the server selects one type of algorithm among the algorithms as an example for description.
An algorithm state list is stored in both the mobile terminal and the server, and the algorithm state list contains attribute information such as availability or forbiddance of the existing algorithm of the mobile terminal, whether cascading is allowed or not.
If the algorithm is available, the algorithm is indicated to be a safe algorithm, and the algorithm can be selected to protect the upgrading process of the cryptographic algorithm; if the algorithm is forbidden, the algorithm is an unsafe algorithm which is already cracked by an attacker or has some safety problems, and if the algorithm is directly used for protecting password upgrading, potential safety hazards exist.
If the algorithm allows cascading, the algorithm allows multiple cascading or the algorithm is combined with other algorithms to carry out cascading so as to improve the safety intensity of the algorithm. In addition, the specific cascading manner of the algorithms allowing cascading can be stored in the algorithm state list.
And after the server determines a target algorithm set, selecting an available algorithm protection upgrading process from the target algorithm set, and if the algorithms in the target algorithm set are all forbidden algorithms, selecting one or more forbidden cascade-allowed algorithms from the algorithm set to generate a cascade algorithm according to the algorithm attribute information in the algorithm state list by the server. For example: if the server selects the disabling algorithm E1, then E1 may be cascaded multiple times with E1; if the server selects the disabling algorithms E1 and E2, E1 may be concatenated with E2.
It should be noted that the algorithm cascade is the prior art, and can improve the security strength of the cryptographic algorithm, and the following description is made by using cascade encryption:
concatenated encryption refers to encrypting one message with algorithm E1 and key KE1, and then with algorithm E2 and key KE2, where the algorithm may be extended to multiple ones. For cascade multiple encryption, there are research results that show that if all multiple keys are independent of each other, the cascade resistance to decoding is at least as strong as the first algorithm in the cascade; more specifically: with a chosen-plaintext attack, the concatenated encryption is at least harder to decipher than its constituent parts. Therefore, the cascade encryption basically meets the requirement of increasing the strength.
Specifically, the concatenated encryption process is:
the cascade decryption process is as follows:
the keys used by the algorithms must be independent of each other, so that the key length can be increased, and the security is enhanced. The research result shows that: if the packet length in the cascade cipher is m bits, the key length is k bits, and the number of the cascade ciphers is l, the only solution distance of the cascade cipher is lk/m. Generally, the longer the unique solution distance, the better the cryptographic system. If lk < ═ 2m, then the concatenated cipher will most likely have 2lk different mappings. This means that 2lk attempts are required to exhaustively attack the concatenated cipher.
603. And the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cascade algorithm and the cryptographic algorithm upgrade packet.
And after cascading the forbidden algorithm to generate a cascading algorithm, the server sends the available algorithm and the cascading algorithm which need to be used in the upgrading process to the mobile terminal through the message. And sending the cipher algorithm upgrade package to the mobile terminal.
After receiving the message sent by the server, the mobile terminal acquires the available algorithm and the cascade algorithm which need to be used in the upgrading process, and protects the upgrading packet and/or the upgrading process through the algorithms. And after the mobile terminal obtains the cipher algorithm upgrading packet, the mobile terminal uses the upgrading packet to upgrade the cipher algorithm.
In the embodiment of the invention, after detecting a cryptographic algorithm upgrading signal sent by a server, a mobile terminal sends a connection request to the server, wherein the connection request comprises information of an existing algorithm of the mobile terminal, the connection request is used for enabling the server to generate a cascade algorithm according to the existing algorithm, the cascade algorithm is an algorithm generated by cascading one or more forbidden algorithms allowing cascading in the existing algorithm, and equipment to be upgraded carries out cryptographic algorithm upgrading according to the cascade algorithm and a cryptographic algorithm upgrading packet sent by the server. Therefore, when all the selectable algorithms are forbidden algorithms, the safety of the cipher algorithm in the upgrading process can be improved through the cascade of the forbidden algorithms.
In practical application, the algorithm information on the hardware accelerator of the password is sent to the server by the mobile terminal, and the algorithm on the hardware accelerator is called to protect the algorithm in the upgrading process. The mobile terminal obtains the specific cascading algorithm instruction from the server, and then generates the cascading algorithm required in the upgrading process according to the instruction, which is described in detail below.
With reference to fig. 7, an upgrading method for a cryptographic algorithm in the embodiment of the present invention includes:
701. detecting a cryptographic algorithm upgrading signal sent by a server by equipment to be upgraded;
there are two existing forms of cryptographic algorithms for mobile terminals: an algorithm on a cryptographic hardware accelerator and a software-implemented algorithm, wherein the cryptographic hardware accelerator is: the cipher algorithm module is provided with a special hardware accelerator which is correspondingly arranged aiming at each cipher algorithm so as to improve the operation speed.
The upgrade of cryptographic algorithms involves two cases: 1) disabling algorithms on the hardware accelerator; or, 2) adding a software implemented algorithm.
When the server decides to disable a cryptographic algorithm on a hardware accelerator or add a software implemented algorithm, an upgrade signal is sent to the mobile terminal. The automatic detection program of the mobile terminal periodically checks whether there is an upgrade signal on the servers of the device manufacturer and the service operator.
The specific method of detection is prior art and will not be described in detail herein.
702. The equipment to be upgraded sends a connection request to the server;
when the mobile terminal detects the upgrade signal, a connection request is sent to the server, and the request carries cipher algorithm information supported by the mobile terminal, namely the existing cipher algorithm information.
When software of the mobile terminal is upgraded (for example, cipher algorithm upgrading), various cipher algorithms are required to be used for protection, and usually, each cipher hardware accelerator is called to accelerate each cipher algorithm so as to improve the operation speed. Therefore, in the embodiment of the present invention, the cryptographic algorithm carried in the connection request sent by the mobile terminal is an algorithm on a cryptographic hardware accelerator of the mobile terminal.
After the mobile terminal sends a connection request to the server, the server receives the connection request of the mobile terminal,
after the server obtains the cryptographic algorithm information on the hardware accelerator of the mobile terminal from the request sent by the mobile terminal, a certain type of algorithm needed to be used in the process of protecting the cryptographic algorithm upgrading is selected from the algorithms, the type of algorithm in the existing algorithms of the mobile terminal is called a target algorithm set, and the target algorithm set can only contain one algorithm or can contain a plurality of algorithms.
It should be noted that, in practical applications, in the process of upgrading the protection cryptographic algorithm, the server generally uses not only one type of algorithm, but also multiple types of algorithms, so that the server may select multiple types of algorithms, and in the embodiment of the present invention, the server selects one type of algorithm among the algorithms as an example for description.
An algorithm state list is stored in both the mobile terminal and the server, and the algorithm state list contains attribute information such as availability or forbiddance of the existing algorithm of the mobile terminal, whether cascading is allowed or not.
If the algorithm is available, the algorithm is indicated to be a safe algorithm, and the algorithm can be selected to protect the upgrading process of the cryptographic algorithm; if the algorithm is forbidden, the algorithm is an unsafe algorithm which is already cracked by an attacker or has some safety problems, and if the algorithm is directly used for protecting password upgrading, potential safety hazards exist.
If the algorithm allows cascading, the algorithm allows multiple cascading or the algorithm is combined with other algorithms to carry out cascading so as to improve the safety intensity of the algorithm. In addition, the specific cascading manner of the algorithms allowing cascading can be stored in the algorithm state list.
And after determining the target algorithm set, the server judges whether the algorithms in the target algorithm set are forbidden algorithms according to the available or forbidden attribute information in the algorithm state list.
The server determines a forbidden algorithm allowing cascade connection according to the allowed cascade connection attribute of the target algorithm in the algorithm state list, and then selects one or more forbidden algorithms allowing cascade connection to be cascaded to generate a cascade connection algorithm according to the characteristics of the algorithm or the specific cascade connection mode of the algorithm stored in the algorithm state list. For example: if the disabling algorithm E1 allows cascading, specifically, triple cascading of E1 and E1, the server may select E1, and generate a cascading algorithm after triple cascading of E1, and if the disabling algorithms E1, E2, and E3 allow cascading, specifically, cascade E1, E2, and E3, the server may select disabling algorithms E1, E2, and E3, and cascade E1, E2, and E3 to generate a cascading algorithm.
703. The method comprises the steps that equipment to be upgraded receives a cascading instruction sent by a server;
after the server selects the algorithm to carry out cascade connection, a cascade connection instruction is sent to the mobile terminal, the mobile terminal receives the cascade connection instruction sent by the server, and the cascade connection instruction is used for indicating the composition and the cascade connection mode of the cascade connection algorithm used by the server.
704. The equipment to be upgraded generates a cascade algorithm according to the cascade instruction and the existing algorithm;
after receiving the cascade algorithm instruction, the mobile terminal selects a corresponding algorithm from the algorithms of the own password hardware accelerator according to the cascade instruction, and generates the cascade algorithm according to the cascade mode in the cascade instruction.
705. And the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cascade algorithm and the cryptographic algorithm upgrade packet.
And after the mobile terminal generates the cascade algorithm according to the cascade instruction, the mobile terminal carries out the cipher algorithm upgrading according to the cascade algorithm and the cipher algorithm upgrading packet sent by the server.
In the embodiment of the invention, in the password upgrading process, the algorithm on the hardware accelerator of the mobile terminal is utilized to protect the upgrading process, various deployed algorithms and accelerators thereof are fully utilized, the waste of hardware resources is avoided, and meanwhile, the strength of the password algorithm can be effectively enhanced.
In addition, in the embodiment of the invention, the mobile terminal generates the cascade algorithm needed to be used in the upgrading process through the cascade indication to complete the upgrading protection process by matching with the server, so that the realizability of the scheme is improved.
In the specific implementation, in the cryptographic algorithm upgrading process, a cascade algorithm is mainly used to protect the upgrading process in two stages, namely, when https secure connection is established, and when the mobile terminal receives a cryptographic algorithm upgrading packet sent by a server. These two scenarios are described in detail below.
Firstly, a cascading algorithm is used for protecting an upgrading process when https security connection is established.
Specifically, when https security connection is established, various types of cryptographic algorithms are required for protection, and several types of commonly used algorithms are described below: 1) https encryption algorithm; 2) an integrity protection algorithm; 3) https signature algorithm.
With reference to fig. 8, an upgrading method for a cryptographic algorithm in the embodiment of the present invention includes:
801. detecting a cryptographic algorithm upgrading signal sent by a server by equipment to be upgraded;
there are two existing forms of cryptographic algorithms for mobile terminals: an algorithm on a cryptographic hardware accelerator and a software-implemented algorithm, wherein the cryptographic hardware accelerator is: the cipher algorithm module is provided with a special hardware accelerator which is correspondingly arranged aiming at each cipher algorithm so as to improve the operation speed.
The upgrade of cryptographic algorithms involves two cases: 1) disabling algorithms on the hardware accelerator; or, 2) adding a software implemented algorithm.
When the server decides to disable a cryptographic algorithm on a hardware accelerator or add a software implemented algorithm, an upgrade signal is sent to the mobile terminal. The automatic detection program of the mobile terminal periodically checks whether there is an upgrade signal on the servers of the device manufacturer and the service operator.
The specific method of detection is prior art and will not be described in detail herein.
802. The equipment to be upgraded sends a connection request to the server;
when the mobile terminal detects the upgrade signal, a connection request is sent to the server, and the request carries cipher algorithm information supported by the mobile terminal, namely the existing cipher algorithm information.
When software upgrade (for example, cipher algorithm upgrade) of a mobile terminal is performed, each cipher hardware accelerator is usually called to accelerate each cipher algorithm, so as to increase the operation speed. Therefore, in the embodiment of the present invention, the cryptographic algorithm carried in the connection request sent by the mobile terminal is an algorithm on a cryptographic hardware accelerator of the mobile terminal.
803. Establishing https secure connection between the equipment to be upgraded and the server through a cascade algorithm;
the method comprises the following steps that a request sent by a mobile terminal to a server is a request for establishing https connection, the server obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the request, and then a plurality of target algorithm sets required to be used in the https connection establishing process are selected from the algorithms, and the method comprises the following steps: the https encryption algorithm set, the integrity protection algorithm set and the https signature algorithm set.
It should be noted that, in practical applications, in addition to selecting the https encryption algorithm set, the integrity protection algorithm set, and the https signature algorithm set, the server may also select other types of algorithm sets in the process of establishing the https connection, for example: the embodiments of the present invention take three types of algorithms commonly used in the https connection establishment process as an example, and when other types of algorithms are selected, the same manner in the embodiments of the present invention is also used for processing.
After determining the https encryption algorithm set, the integrity protection algorithm set and the https signature algorithm set, the server determines whether each type of algorithm has an algorithm with an available state according to available or forbidden attribute information in the algorithm state list, and if the algorithm with the available state exists, the server directly selects the algorithm with the available state. When all of one type of cryptographic algorithms are in a disabled state, one or more disabled cascading-enabled algorithms of the type are selected for cascading to generate a cascading algorithm.
For example: when all algorithms in the https encryption algorithm set are in a disabled state, one or more disabled algorithms are selected from the algorithms in the https encryption algorithm set to be cascaded to generate a cascaded https encryption algorithm, if available algorithms in the integrity protection algorithm set and the https signature algorithm set are selectable, an available integrity protection algorithm is selected from the integrity protection algorithm set, and an available https signature algorithm is selected from the https signature algorithm set.
In the algorithms that need to be used when the https secure connection is determined by the server, if at least one type of algorithm is a concatenation algorithm, then the https secure connection is established with the mobile terminal through the concatenation algorithms and another available algorithm that does not need to be concatenated, specifically, the establishment of the https secure connection is similar to steps 103 to 111 in the embodiment shown in fig. 1, and the following description will be given by taking as an example a case where all the algorithms that need to be used when the https secure connection is determined by the server are concatenation algorithms:
the server adopts a cascade https encryption algorithm, a cascade integrity algorithm and a cascade https signature algorithm to establish https connection with the mobile terminal, and the specific process is as follows:
1) the server encrypts and sends the cascade indication of the cascade https encryption algorithm, the cascade integrity algorithm and the cascade https signature algorithm to the mobile terminal by using the public key of the mobile terminal, the cascade indication is used for indicating the composition and the cascade mode of each cascade algorithm used by the server, and sends a certificate of the server to the mobile terminal, wherein the certificate comprises the public key of the server.
2) And the mobile terminal decrypts by using a private key to obtain the cascade https encryption algorithm indication, the cascade integrity algorithm indication and the cascade indication of the cascade https signature algorithm, selects a corresponding algorithm from the algorithms of the cryptographic hardware accelerator of the mobile terminal according to the cascade indications, and generates the corresponding cascade https encryption algorithm, the cascade integrity algorithm and the cascade https signature algorithm according to the cascade mode in the cascade indication.
3) The mobile terminal generates a random number key;
4) and the mobile terminal encrypts the random number key by using the cascading https signature algorithm, encrypts the random number key by using the public key of the server, and encrypts the handshake message by using the cascading https encryption algorithm and the cascading integrity algorithm.
5) And the mobile terminal sends the encrypted random number key and the encrypted handshake message to the server.
6) The server decrypts by using a private key, decrypts by using a cascade https signature algorithm to obtain the random number key, decrypts by using the random number key and a cascade https encryption algorithm to obtain handshake messages, and performs integrity verification on the handshake messages by using a cascade integrity algorithm.
7) And the server encrypts a section of handshake message by using the cascade https encryption algorithm and the key and encrypts the handshake message by using the cascade integrity algorithm.
8) And the server sends the encrypted handshake message to the mobile terminal.
9) And the mobile terminal decrypts the handshake message by using the cascade https encryption algorithm and the key, and verifies the integrity of the handshake message by using the cascade integrity algorithm. And the server and the mobile terminal are successfully handshake, and https connection between the server and the mobile terminal is successfully established.
804. The equipment to be upgraded receives a cryptographic algorithm upgrading packet sent by the server through https secure connection;
after https secure connection is established between the mobile terminal and the server, communication data subsequently sent in the https secure transmission channel are encrypted by using an https encryption algorithm used when connection is established, and meanwhile integrity of the communication data is protected by using an integrity algorithm.
After https secure connection is established between the server and the mobile terminal, the server sends a cryptographic algorithm upgrade packet to the mobile terminal through the https secure connection, and the mobile terminal receives the cryptographic algorithm upgrade packet sent by the server through the https secure connection.
805. And the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
If the https encryption algorithm used when https secure connection is established is a cascade algorithm, the upgrade packet received by the mobile terminal is an upgrade packet encrypted by a cipher algorithm encrypted by the cascade https encryption algorithm, and if the integrity algorithm used when https connection is established is a cascade integrity algorithm, the upgrade packet received by the mobile terminal is a cipher algorithm upgrade packet protected by the cascade integrity algorithm.
After the mobile terminal receives the cryptographic algorithm upgrading packet, the cryptographic algorithm upgrading packet is decrypted through the cascading https encryption algorithm, meanwhile, the integrity of the cryptographic algorithm upgrading packet is verified through the cascading integrity algorithm, and if the integrity of the cryptographic algorithm upgrading packet is verified, the cryptographic algorithm is upgraded through the cryptographic algorithm upgrading packet.
In the embodiment of the invention, when https security connection is established, an https encryption algorithm, an integrity protection algorithm and an https signature algorithm are required to be used, when all cryptographic algorithms in a type of algorithm set are in a disabled state, one or more algorithms of the type can be selected for cascade connection to generate a cascade algorithm, then https security connection is established between a mobile terminal and a server through the cascade algorithm, and then a cryptographic algorithm upgrading packet sent by the server through the https security connection is received. Therefore, the safety of the cryptographic algorithm in the upgrading process is improved.
And secondly, protecting the upgrading process by using a cascade algorithm when receiving the cryptographic algorithm upgrading packet.
Specifically, when the mobile terminal receives the cryptographic algorithm upgrade package sent by the server, it needs to use multiple types of cryptographic algorithms to protect the cryptographic algorithm upgrade package, and the following description is given by using several types of algorithms that are commonly used: 1) upgrade package signature algorithm; 2) updating a packet hash algorithm; 3) and updating the package encryption algorithm.
With reference to fig. 9, an upgrading method for a cryptographic algorithm in the embodiment of the present invention includes:
step 901 and step 902 are the same as step 701 and step 702 in the embodiment shown in fig. 7, and are not described herein again.
It should be noted that, in the embodiment of the present invention, before the mobile terminal receives the cryptographic algorithm upgrade packet sent by the server, an https connection request may be established with the mobile terminal, and specifically, a process of establishing an https secure connection refers to the description in the embodiment shown in fig. 8.
903. The equipment to be upgraded receives a cryptographic algorithm upgrading packet sent by the server;
when the server sends the cryptographic algorithm upgrade package, the server obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the connection request, and selects a plurality of target algorithm sets which need to be used when the cryptographic algorithm upgrade package is sent, wherein the target algorithm sets comprise: an upgrade package signature algorithm set, an upgrade package hash algorithm set and an upgrade package encryption algorithm set.
It should be noted that, in practical applications, in the process of sending the cryptographic algorithm upgrade package by the server, in addition to selecting the upgrade package signature algorithm set, the upgrade package hash algorithm set, and the upgrade package encryption algorithm set, other types of algorithm sets may also be selected, for example: and the integrity algorithm set and the like, in the embodiment of the present invention, three types of algorithms commonly used in the process of sending the cryptographic algorithm upgrade package are taken as examples for description, and when other types of algorithms are selected, the same manner in the embodiment of the present invention is also adopted for processing.
After determining the upgrade package signature algorithm set, the upgrade package hash algorithm set and the upgrade package encryption algorithm set, the server determines whether each type of algorithm has an algorithm with an available state according to available or forbidden attribute information in the algorithm state list, and if the algorithm with the available state exists, the server directly selects the algorithm with the available state. When all of one type of cryptographic algorithms are in a disabled state, one or more disabled cascading-enabled algorithms of the type are selected for cascading to generate a cascading algorithm.
For example: when all algorithms in the upgrade package signature algorithm set are in a disabled state, selecting one or more disabled algorithms from the algorithms in the upgrade package signature algorithm set to be cascaded to generate a cascaded upgrade package signature algorithm, and if available algorithms in the upgrade package hash algorithm set and the upgrade package encryption algorithm set are selectable, selecting one available upgrade package hash algorithm from the upgrade package hash algorithm set and selecting one available upgrade package encryption algorithm from the upgrade package encryption algorithm set.
When the server determines algorithms required to be used when the cryptographic algorithm upgrading packet is sent, and at least one type of algorithm is a cascading algorithm, the upgrading packet is protected through the cascading algorithms and other available algorithms which do not need to be cascaded. The following specific manner of protecting the upgrade package is exemplified by taking the algorithm that the server determines to use when sending the upgrade package as the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm, and the cascade upgrade package encryption algorithm:
the server hashes the upgrade package through a cascade upgrade package hashing algorithm, signs the upgrade package through a cascade upgrade package signing algorithm, and encrypts the upgrade package through a cascade upgrade package encryption algorithm.
The server sends the protected cipher algorithm upgrading packet to the mobile terminal, and the mobile terminal receives the cipher algorithm upgrading packet sent by the server. The upgrade package includes a cascade instruction of each cascade algorithm used, and the cascade instruction is used for instructing the configuration and the cascade mode of each cascade algorithm used by the server.
904. The equipment to be upgraded decrypts or verifies the cryptographic algorithm upgrading packet through the cascade signature algorithm;
after receiving the cryptographic algorithm upgrade package, the mobile terminal generates a corresponding cascade algorithm according to the cryptographic algorithm on the hardware accelerator of the mobile terminal through the cascade indication of each cascade algorithm in the upgrade package.
If the server uses the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm and the cascade upgrade package encryption algorithm to protect the cipher algorithm upgrade package, the mobile terminal can generate the cascade signature algorithm according to the indication of the cascade upgrade package signature algorithm, generate the cascade upgrade package hash algorithm according to the indication of the cascade upgrade package hash algorithm and generate the cascade upgrade package encryption algorithm according to the indication of the cascade upgrade package encryption algorithm.
The mobile terminal decrypts the upgrade package by using the cascade upgrade package encryption algorithm, then performs signature verification on the upgrade package by using the cascade upgrade package signature algorithm, and performs hash value verification on the upgrade package by using the cascade upgrade package hash algorithm.
905. If the verification is successful, the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
If the mobile terminal successfully decrypts the upgrade package by using the cascade upgrade package encryption algorithm, successfully signs and verifies the upgrade package by using the cascade upgrade package signature algorithm, and successfully verifies the hash value of the upgrade package by using the cascade upgrade package hash algorithm, the cipher algorithm upgrade package is used for carrying out cipher algorithm upgrade.
In the embodiment of the invention, a mobile terminal receives an upgrade packet which is protected by an upgrade packet signature algorithm, an upgrade packet Hash algorithm and an upgrade packet encryption algorithm and sent by a server, when the cryptographic algorithms in one type of algorithm set are all in a forbidden state, the server uses a cascade algorithm which is generated by cascading one or more algorithms of the type to protect the upgrade packet, after receiving the upgrade packet, the mobile terminal generates a corresponding cascade algorithm according to the indication of the cascade algorithm in the upgrade packet, verifies the upgrade packet by the cascade algorithm, and upgrades the cryptographic algorithm after the verification is passed. Therefore, the upgrading safety of the cryptographic algorithm is ensured when all the algorithms selectable by the server are forbidden algorithms in the upgrading process.
The above is a description of the cryptographic algorithm upgrading method in the embodiment of the present invention, and the following describes a server in the embodiment of the present invention from the perspective of a modular functional entity.
With reference to fig. 10, a server 10 provided in an embodiment of the present invention includes:
a sending unit 1001, configured to send a cryptographic algorithm upgrade signal to a device to be upgraded, where the cryptographic algorithm upgrade signal is used to indicate that a cryptographic algorithm upgrade package exists on a server;
the receiving unit 1002 is configured to receive a connection request sent by a device to be upgraded, where the connection request includes information of an existing algorithm of the device to be upgraded;
the processing unit 1003 is configured to select one or more forbidden algorithms from the target algorithm set to be cascaded to generate a cascaded algorithm when it is determined that the algorithms in the target algorithm set are all forbidden algorithms, where the target algorithm set is a set of algorithms in existing algorithms; and then, the equipment to be upgraded is subjected to cryptographic algorithm upgrading through the cascade algorithm and the cryptographic algorithm upgrading packet.
In the embodiment of the present invention, a sending unit 1001 sends a cryptographic algorithm upgrade signal to a mobile terminal, and after a receiving unit 1002 receives a connection request sent by the mobile terminal, when a processing unit 1003 determines that all algorithms in a target algorithm set are disabled algorithms, the processing unit 1003 does not directly select the disabled algorithms and the mobile terminal to perform cryptographic algorithm upgrade, but selects one or more target algorithms from the target algorithm set to perform cascade generation of a cascade algorithm, and performs cryptographic algorithm upgrade on the mobile terminal through the cascade algorithm and a cryptographic algorithm upgrade packet. The cascade algorithm can effectively enhance the safety intensity of the algorithm, so that the safety of the cryptographic algorithm in the upgrading process can be effectively improved.
With reference to fig. 11, a server 11 provided in an embodiment of the present invention includes:
a sending unit 1101, configured to send a cryptographic algorithm upgrade signal to a device to be upgraded, where the cryptographic algorithm upgrade signal is used to indicate that a cryptographic algorithm upgrade package exists on a server;
a receiving unit 1102, configured to receive a connection request sent by a device to be upgraded, where the connection request includes information of an existing algorithm of the device to be upgraded;
the processing unit 1103 is configured to, when it is determined that all the algorithms in the target algorithm set are forbidden algorithms, select one or more forbidden algorithms from the target algorithm set to cascade to generate a cascade algorithm, where the target algorithm set is a set of algorithms in existing algorithms; and then, the equipment to be upgraded is subjected to cryptographic algorithm upgrading through the cascade algorithm and the cryptographic algorithm upgrading packet.
The processing unit 1103 is specifically configured to obtain attribute information of a target algorithm in the target algorithm set, determine, according to the attribute information, a forbidden algorithm that allows cascading, and select one or more forbidden algorithms that allow cascading to perform cascading to generate a cascading algorithm.
In addition, the processing unit 1103 is further configured to determine whether the target algorithm is an algorithm to be disabled indicated in the upgrade package, and if so, determine that the target algorithm is a disabled algorithm; or, the method is further used for determining whether the target algorithm is in a disabled state according to the information of the existing algorithm, and if so, determining that the target algorithm is the disabled algorithm.
The sending unit 1101 is further configured to send a cascade instruction to the device to be upgraded, so that the device to be upgraded generates a cascade algorithm according to the cascade instruction and an existing algorithm, and the cascade instruction is used for indicating the configuration and the cascade manner of the cascade algorithm.
The following describes the interaction between the unit modules in the server 11 according to the present invention in a specific application scenario:
there are two existing forms of cryptographic algorithms for mobile terminals: an algorithm on a cryptographic hardware accelerator and a software-implemented algorithm, wherein the cryptographic hardware accelerator is: the cipher algorithm module is provided with a special hardware accelerator which is correspondingly arranged aiming at each cipher algorithm so as to improve the operation speed.
The upgrade of cryptographic algorithms involves two cases: 1) disabling algorithms on the hardware accelerator; or, 2) adding a software implemented algorithm.
When the server 11 decides to disable a cryptographic algorithm on a hardware accelerator or add a software implemented algorithm, the sending unit 1101 sends an upgrade signal to the mobile terminal. The automatic detection program of the mobile terminal periodically checks whether there is an upgrade signal on the servers of the device manufacturer and the service operator, and when the mobile terminal detects the upgrade signal, it sends a connection request to the receiving unit 1102.
After the mobile terminal sends a connection request to the receiving unit 1102, the receiving unit 1102 receives the connection request of the mobile terminal, where the request carries cryptographic algorithm information supported by the mobile terminal, that is, existing cryptographic algorithm information.
When software of the mobile terminal is upgraded (for example, cipher algorithm upgrading), various cipher algorithms are required to be used for protection, and usually, each cipher hardware accelerator is called to accelerate each cipher algorithm so as to improve the operation speed. Therefore, in the embodiment of the present invention, the cryptographic algorithm carried in the connection request sent by the mobile terminal is an algorithm on a cryptographic hardware accelerator of the mobile terminal.
After the receiving unit 1102 receives a connection request of a mobile terminal, the processing unit 1103 obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the request sent by the mobile terminal, selects a certain type of algorithm that needs to be used in a process of protecting the cryptographic algorithm from the algorithms, and refers to the type of algorithm in existing algorithms of the mobile terminal as a target algorithm set, where the target algorithm set may only include one algorithm or may include multiple algorithms.
It should be noted that, in practical applications, in the process of upgrading the protection cryptographic algorithm, the processing unit 1103 of the server 11 generally uses not only one type of algorithm, but also multiple types of algorithms, so that the processing unit 1103 may select multiple types of algorithms, and in the embodiment of the present invention, the processing unit 1103 selects one type of algorithm among the multiple types of algorithms as an example.
An algorithm state list is stored in both the mobile terminal and the server 11, and the algorithm state list contains attribute information such as availability or non-availability of the existing algorithm of the mobile terminal, whether cascading is allowed, and the like.
If the algorithm is available, the algorithm is indicated to be a safe algorithm, and the algorithm can be selected to protect the upgrading process of the cryptographic algorithm; if the algorithm is forbidden, the algorithm is an unsafe algorithm which is already cracked by an attacker or has some safety problems, and if the algorithm is directly used for protecting password upgrading, potential safety hazards exist.
If the algorithm allows cascading, the algorithm allows multiple cascading or the algorithm is combined with other algorithms to carry out cascading so as to improve the safety intensity of the algorithm. In addition, the specific cascading manner of the algorithms allowing cascading can be stored in the algorithm state list.
After determining the target algorithm set, the processing unit 1103 determines whether the algorithms in the target algorithm set are forbidden algorithms according to the available or forbidden attribute information in the algorithm state list.
The specific judgment method is as follows:
if the content of the password upgrade package of the server 11 includes disabling the password algorithm a on one hardware accelerator, at this time, a is an algorithm to be disabled, and when the server determines that the target algorithms in the target algorithm set are all disabled algorithms, if the target algorithm set includes the algorithm a to be disabled, the algorithm a to be disabled is also considered as a disabled algorithm.
If the content of the password upgrade package of the server 11 does not contain the password algorithm on the forbidden hardware accelerator, the server directly judges whether the target algorithms in the target algorithm set are in the forbidden state according to the algorithm state list of the existing algorithms, that is, whether the algorithms in the target algorithm set are all the forbidden algorithms can be determined.
If the processing unit 1103 determines that the target algorithms in the target algorithm set are all disabled algorithms, the attribute information of whether concatenation is allowed for the target algorithms is obtained from the algorithm state list.
The processing unit 1103 determines the disabling algorithm that allows concatenation according to whether the concatenation attribute of the target algorithm in the algorithm state list is allowed.
After determining the forbidden algorithm that allows cascading according to the allowed cascading attribute of the target algorithm in the algorithm state list, the processing unit 1103 selects one or more forbidden algorithms that allow cascading to cascade according to the characteristics of the algorithms themselves or the specific cascading manner of the algorithms stored in the algorithm state list, so as to generate a cascading algorithm. For example: if the disabling algorithm E1 allows cascading, specifically, the cascading manner is triple cascading between E1 and E1, the processing unit 1103 may select E1, and triple cascading the E1 to generate a cascading algorithm, and if the disabling algorithms E1, E2, and E3 allow cascading, specifically, the cascading manner is cascading between E1, E2, and E3, the processing unit 1103 may select disabling algorithms E1, E2, and E3, and cascade the algorithms E1, E2, and E3 to generate a cascading algorithm.
After selecting the algorithms for cascading, the processing unit 1103 sends a cascading instruction to the mobile terminal, where the cascading instruction is used to instruct the configuration and cascading manner of the cascading algorithm used by the server, so that the mobile terminal can select a corresponding algorithm from the algorithms of its own cryptographic hardware accelerator according to the cascading instruction, and generate the cascading algorithm according to the cascading manner in the cascading instruction, so that the mobile terminal can complete the upgrading process according to the specific algorithm in cooperation with the server.
After the disabling algorithm is cascaded to generate the cascade algorithm, the processing unit 1103 uses the cryptographic algorithm upgrade package to upgrade the mobile terminal, so as to implement disabling the algorithm on the hardware accelerator, or add the algorithm implemented by software, and protect the mobile terminal using the cascade algorithm generated by the server during the upgrade process.
In the embodiment of the present invention, the password upgrade includes disabling a password algorithm on a hardware accelerator or adding a software-implemented algorithm, and in the password upgrade process, the processing unit 1103 protects the upgrade process by using the algorithm on the hardware accelerator of the mobile terminal, and makes full use of various deployed algorithms and their accelerators, thereby avoiding waste of hardware resources and effectively enhancing the strength of the password algorithm.
Secondly, in the embodiment of the present invention, the attribute of whether the algorithm allows cascading is stored in the algorithm state list, and when the processing unit 1103 selects the algorithm for cascading, the processing unit performs cascading according to the attribute of the algorithm that allows cascading, so that the implementability of the scheme is improved.
In addition, in the embodiment of the present invention, after the processing unit 1103 selects the algorithm to perform the cascade connection, the processing unit 1103 of the server 11 completes the upgrade protection process in cooperation with the processing unit 1103 by sending the cascade connection instruction to notify the mobile terminal of the selected algorithm and the cascade connection mode, so that the implementability of the scheme is improved.
With reference to fig. 12, a server 12 provided in an embodiment of the present invention includes:
a sending unit 1201, configured to send a cryptographic algorithm upgrade signal to a device to be upgraded, where the cryptographic algorithm upgrade signal is used to indicate that a cryptographic algorithm upgrade package exists on a server;
a receiving unit 1202, configured to receive a connection request sent by a device to be upgraded, where the connection request includes information of an existing algorithm of the device to be upgraded;
the processing unit 1203 is configured to select one or more forbidden algorithms from the target algorithm set to be cascaded to generate a cascaded algorithm when it is determined that the algorithms in the target algorithm set are all forbidden algorithms, where the target algorithm set is a set of algorithms in existing algorithms; and then, the equipment to be upgraded is subjected to cryptographic algorithm upgrading through the cascade algorithm and the cryptographic algorithm upgrading packet.
The processing unit 1203 is specifically configured to obtain attribute information of a target algorithm in the target algorithm set, determine a forbidden algorithm that allows cascading according to the attribute information, and select one or more forbidden algorithms that allow cascading for cascading to generate a cascading algorithm.
In addition, the processing unit 1203 is further configured to determine whether the target algorithm is an algorithm to be disabled indicated in the upgrade package, and if so, determine that the target algorithm is a disabled algorithm; or, the method is further used for determining whether the target algorithm is in a disabled state according to the information of the existing algorithm, and if so, determining that the target algorithm is the disabled algorithm.
The sending unit 1201 is further configured to send a cascade instruction to the device to be upgraded, so that the device to be upgraded generates a cascade algorithm according to the cascade instruction and an existing algorithm, and the cascade instruction is used to instruct a configuration and a cascade manner of the cascade algorithm.
The processing unit 1203 is further configured to establish an https secure connection with the device to be upgraded through a cascading https encryption algorithm; the sending unit 1201 is further configured to send a cryptographic algorithm upgrade packet to the device to be upgraded through https secure connection, where the cryptographic algorithm upgrade packet is encrypted by a cascaded https encryption algorithm.
The processing unit 1203 is further specifically configured to establish an https secure connection with the device to be upgraded through a cascading https signature algorithm; the sending unit 1201 is further configured to send a cryptographic algorithm upgrade package to the device to be upgraded through https secure connection.
The processing unit 1203 is further configured to establish https secure connection with the device to be upgraded through a cascade integrity algorithm; the sending unit 1201 is further configured to send a cryptographic algorithm upgrade packet to the device to be upgraded through https secure connection, where the cryptographic algorithm upgrade packet is integrity protected by a cascade integrity algorithm.
The following describes the interaction between the unit modules in the server 12 according to the present invention in a specific application scenario:
in the specific implementation, in the cryptographic algorithm upgrading process, a cascade algorithm is mainly used to protect the upgrading process in two stages, namely, when https security connection is established, and when a cryptographic algorithm upgrading packet is sent to a mobile terminal. The protection upgrade process using the cascade algorithm when establishing https security connection is explained below.
Specifically, when establishing https security connection, the processing unit 1203 needs to use various types of cryptographic algorithms for protection, and several types of algorithms are commonly used for the following description: 1) https encryption algorithm; 2) an integrity protection algorithm; 3) https signature algorithm.
There are two existing forms of cryptographic algorithms for mobile terminals: an algorithm on a cryptographic hardware accelerator and a software-implemented algorithm, wherein the cryptographic hardware accelerator is: the cipher algorithm module is provided with a special hardware accelerator which is correspondingly arranged aiming at each cipher algorithm so as to improve the operation speed.
The upgrade of cryptographic algorithms involves two cases: 1) disabling algorithms on the hardware accelerator; or, 2) adding a software implemented algorithm.
When the server 12 decides to disable a cryptographic algorithm on a hardware accelerator or add a software implemented algorithm, the sending unit 1201 sends an upgrade signal to the mobile terminal. The automatic detection program of the mobile terminal periodically checks whether or not there is an upgrade signal on the servers of the device manufacturer and the service operator, and when the mobile terminal detects the upgrade signal, it sends a connection request to the receiving unit 1202.
After the mobile terminal sends a connection request to the receiving unit 1202, the receiving unit 1202 receives the connection request of the mobile terminal, where the request carries the cryptographic algorithm information supported by the mobile terminal, that is, the existing cryptographic algorithm information.
When software of the mobile terminal is upgraded (for example, cipher algorithm upgrading), various cipher algorithms are required to be used for protection, and usually, each cipher hardware accelerator is called to accelerate each cipher algorithm so as to improve the operation speed. Therefore, in the embodiment of the present invention, the cryptographic algorithm carried in the connection request sent by the mobile terminal is an algorithm on a cryptographic hardware accelerator of the mobile terminal.
The request sent by the mobile terminal to the receiving unit 1202 is a request for establishing https connection, and the processing unit 1203 obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the request, and then selects a plurality of target algorithm sets that need to be used in establishing https connection from the algorithms, including: the https encryption algorithm set, the integrity protection algorithm set and the https signature algorithm set.
It should be noted that, in practical applications, during the process of establishing the https connection, the processing unit 1203 may select other types of algorithm sets besides the https encryption algorithm set, the integrity protection algorithm set, and the https signature algorithm set, for example: the embodiments of the present invention take three types of algorithms commonly used in the https connection establishment process as an example, and when other types of algorithms are selected, the same manner in the embodiments of the present invention is also used for processing.
An algorithm state list is stored in both the mobile terminal and the server 12, and the algorithm state list includes attribute information such as availability or non-availability of the existing algorithm on the hardware accelerator of the mobile terminal, whether concatenation is allowed, and the like.
If the algorithm is available, the algorithm is indicated to be a safe algorithm, and the algorithm can be selected to protect the upgrading process of the cryptographic algorithm; if the algorithm is forbidden, the algorithm is an unsafe algorithm which is already cracked by an attacker or has some safety problems, and if the algorithm is directly used for protecting password upgrading, potential safety hazards exist.
If the algorithm allows cascading, the algorithm allows multiple cascading or the algorithm is combined with other algorithms to carry out cascading so as to improve the safety intensity of the algorithm. In addition, the specific cascading manner of the algorithms allowing cascading can be stored in the algorithm state list.
After determining the https encryption algorithm set, the integrity protection algorithm set, and the https signature algorithm set, the processing unit 1203 determines whether each type of algorithm has an algorithm with an available state according to the available or disabled attribute information in the algorithm state list, and if so, directly selects the algorithm with the available state. When all of one type of cryptographic algorithms are in a disabled state, one or more disabled cascading-enabled algorithms of the type are selected for cascading to generate a cascading algorithm.
For example: when all algorithms in the https encryption algorithm set are in a disabled state, one or more disabled algorithms are selected from the algorithms in the https encryption algorithm set to be cascaded to generate a cascaded https encryption algorithm, if available algorithms in the integrity protection algorithm set and the https signature algorithm set are selectable, an available integrity protection algorithm is selected from the integrity protection algorithm set, and an available https signature algorithm is selected from the https signature algorithm set.
In the algorithms that need to be used in the https secure connection determined by the processing unit 1203, when at least one type of algorithm is a cascade algorithm, the processing unit 1203 establishes an https secure connection with the mobile terminal through the cascade algorithms and another available algorithm that does not need to be cascaded, which is described below by taking as an example a case where all the algorithms that need to be used in the https secure connection determined by the processing unit 1203 are cascade algorithms:
the specific process of establishing https connection with the mobile terminal by the processing unit 1203 using the cascade https encryption algorithm, the cascade integrity algorithm, and the cascade https signature algorithm is as follows:
1) the processing unit 1203 encrypts the cascade indication of the cascade https encryption algorithm, the cascade integrity algorithm and the cascade https signature algorithm by using the public key of the mobile terminal, and sends the encrypted cascade indication to the mobile terminal through the sending unit 1201, wherein the cascade indication is used for indicating the composition and the cascade mode of each cascade algorithm used by the server, and the processing unit 1203 sends the certificate of the processing unit 1203 to the mobile terminal, and the certificate contains the public key of the server.
2) And the mobile terminal decrypts by using a private key to obtain the cascade https encryption algorithm indication, the cascade integrity algorithm indication and the cascade indication of the cascade https signature algorithm, selects a corresponding algorithm from the algorithms of the cryptographic hardware accelerator of the mobile terminal according to the cascade indications, and generates the corresponding cascade https encryption algorithm, the cascade integrity algorithm and the cascade https signature algorithm according to the cascade mode in the cascade indication.
3) The mobile terminal generates a random number key;
4) the mobile terminal encrypts the random number key by using the cascading https signature algorithm, encrypts the random number key by using the public key of the server 12, and encrypts the handshake message by using the cascading https encryption algorithm and the cascading integrity algorithm.
5) And the mobile terminal sends the encrypted random number key and the encrypted handshake message to the server 12.
6) The processing unit 1203 of the server 12 decrypts the handshake message by using the private key and the concatenated https signature algorithm to obtain the random number key, decrypts the handshake message by using the random number key and the concatenated https encryption algorithm, and performs integrity verification on the handshake message by using the concatenated integrity algorithm.
7) The processing unit 1203 encrypts a handshake message with the concatenated https encryption algorithm and the key, and encrypts the handshake message with the concatenated integrity algorithm.
8) And the sending unit 1201 sends the encrypted handshake message to the mobile terminal.
9) And the mobile terminal decrypts the handshake message by using the cascade https encryption algorithm and the key, and verifies the integrity of the handshake message by using the cascade integrity algorithm. The handshake between the server 12 and the mobile terminal is successful, and the https connection between the server 12 and the mobile terminal is successfully established.
After https secure connection is established between the server 12 and the mobile terminal, communication data subsequently sent in the https secure transmission channel are encrypted by using an https encryption algorithm used when connection is established, and meanwhile integrity of the communication data is protected by using an integrity algorithm.
After https secure connection is established between the server 12 and the mobile terminal, the processing unit 1203 sends a cryptographic algorithm upgrade package to the mobile terminal through the https secure connection.
If the https encryption algorithm used when https secure connection is established is a cascade algorithm, the cryptographic algorithm upgrade packet is encrypted through the cascade https encryption algorithm, and if the integrity algorithm used when https connection is established is a cascade integrity algorithm, the integrity of the cryptographic algorithm upgrade packet in the transmission process is protected through the cascade integrity algorithm.
After the mobile terminal receives the cryptographic algorithm upgrading packet, the cryptographic algorithm upgrading packet is decrypted through the cascading https encryption algorithm, meanwhile, the integrity of the cryptographic algorithm upgrading packet is verified through the cascading integrity algorithm, and if the integrity of the cryptographic algorithm upgrading packet is verified, the cryptographic algorithm is upgraded through the cryptographic algorithm upgrading packet.
In practical applications, the https encryption algorithm may be a symmetric encryption algorithm, such as: for the AES algorithm, the integrity algorithm may be a hash algorithm plus a corresponding input key, and the signature algorithm may be an asymmetric algorithm, for example: the RSA algorithm.
In the embodiment of the present invention, when https security connection is established, the processing unit 1203 determines an https encryption algorithm set, an integrity protection algorithm set, and an https signature algorithm set that need to be used, and when all cryptographic algorithms in one type of algorithm set are in a disabled state, the processing unit 1203 selects one or more algorithms of the type to be cascaded to generate a cascaded algorithm, and when other types of algorithms are selected, the same processing is performed. Then, the processing unit 1203 establishes https secure connection with the mobile terminal through the cascaded algorithm, and the sending unit 1201 sends the cryptographic algorithm upgrade package to the mobile terminal through the https secure connection. Therefore, the safety of the cryptographic algorithm in the upgrading process is improved.
With reference to fig. 13, a server 13 provided in an embodiment of the present invention includes:
a sending unit 1301, configured to send a cryptographic algorithm upgrade signal to a device to be upgraded, where the cryptographic algorithm upgrade signal is used to indicate that a cryptographic algorithm upgrade packet exists on a server;
a receiving unit 1302, configured to receive a connection request sent by a device to be upgraded, where the connection request includes information of an existing algorithm of the device to be upgraded;
the processing unit 1303 is configured to select one or more forbidden algorithms from the target algorithm set to cascade to generate a cascade algorithm when it is determined that the algorithms in the target algorithm set are all forbidden algorithms, where the target algorithm set is a set of algorithms in existing algorithms; and then, the equipment to be upgraded is subjected to cryptographic algorithm upgrading through the cascade algorithm and the cryptographic algorithm upgrading packet.
The processing unit 1303 is specifically configured to obtain attribute information of a target algorithm in the target algorithm set, determine a forbidden algorithm that allows cascading according to the attribute information, and select one or more forbidden algorithms that allow cascading for cascading to generate a cascading algorithm.
In addition, the processing unit 1303 is further configured to determine whether the target algorithm is an algorithm to be disabled indicated in the upgrade package, and if so, determine that the target algorithm is a disabled algorithm; or, the method is further used for determining whether the target algorithm is in a disabled state according to the information of the existing algorithm, and if so, determining that the target algorithm is the disabled algorithm.
The sending unit 1301 is further configured to send a cascade instruction to the device to be upgraded, so that the device to be upgraded generates a cascade algorithm according to the cascade instruction and an existing algorithm, and the cascade instruction is used to instruct a configuration and a cascade manner of the cascade algorithm.
The processing unit 1303 is specifically further configured to sign the cryptographic algorithm upgrade package through a cascade upgrade package signature algorithm; the sending unit 1301 is further configured to send a cryptographic algorithm upgrade package to the device to be upgraded, where the cryptographic algorithm upgrade package includes a cascaded upgrade package signature algorithm indication.
The processing unit 1303 is further configured to select a target hash algorithm from existing algorithms; hashing the upgrade package through a target hashing algorithm to obtain a hashing value of the cipher algorithm upgrade package; the processing unit 1303 signs the cryptographic algorithm upgrade package through the cascade upgrade package signature algorithm, specifically, signs the hash value of the cryptographic algorithm upgrade package through the cascade signature algorithm.
The processing unit 1303 is further specifically configured to hash the cryptographic algorithm upgrade package through a cascade upgrade package hash algorithm to obtain a hash value of the cryptographic algorithm upgrade package; the sending unit 1301 is further configured to send a cryptographic algorithm upgrade package and a hash value to the device to be upgraded, where the cryptographic algorithm upgrade package includes a hash algorithm indication of a cascade upgrade package.
The processing unit 1303 is further configured to encrypt the cryptographic algorithm upgrade package by using a cascade upgrade package encryption algorithm; the sending unit 1301 is further configured to send a cryptographic algorithm upgrade packet to the device to be upgraded, where the cryptographic algorithm upgrade packet includes a cascaded upgrade packet encryption algorithm indication.
The following describes the interaction between the unit modules in the server 13 according to the present invention in a specific application scenario:
in the specific implementation, in the cryptographic algorithm upgrading process, in addition to the need of using the cascade algorithm for protection when establishing https secure connection, the need of using the cascade algorithm for protection when sending the upgrade packet to the mobile terminal is also required, and the description will be given below of the use of the cascade algorithm for protecting the upgrading process when sending the cryptographic algorithm upgrade packet to the mobile terminal.
Specifically, when the cryptographic algorithm upgrade package is sent, multiple types of cryptographic algorithms need to be used to protect the cryptographic algorithm upgrade package, and several types of algorithms that are commonly used are described below: 1) upgrade package signature algorithm; 2) updating a packet hash algorithm; 3) and updating the package encryption algorithm.
There are two existing forms of cryptographic algorithms for mobile terminals: an algorithm on a cryptographic hardware accelerator and a software-implemented algorithm, wherein the cryptographic hardware accelerator is: the cipher algorithm module is provided with a special hardware accelerator which is correspondingly arranged aiming at each cipher algorithm so as to improve the operation speed.
The upgrade of cryptographic algorithms involves two cases: 1) disabling algorithms on the hardware accelerator; or, 2) adding a software implemented algorithm.
The sending unit 1301 sends an upgrade signal to the mobile terminal when the server 13 decides to disable a cryptographic algorithm on a hardware accelerator or add a software implemented algorithm. The automatic detection program of the mobile terminal periodically checks whether there is an upgrade signal on the servers of the device manufacturer and the service operator, and when the mobile terminal detects the upgrade signal, it sends a connection request to the receiving unit 1302.
After the mobile terminal sends a connection request to the receiving unit 1302, the receiving unit 1302 receives the connection request of the mobile terminal, where the request carries the cryptographic algorithm information supported by the mobile terminal, that is, the existing cryptographic algorithm information.
When software of the mobile terminal is upgraded (for example, cipher algorithm upgrading), various cipher algorithms are required to be used for protection, and usually, each cipher hardware accelerator is called to accelerate each cipher algorithm so as to improve the operation speed. Therefore, in the embodiment of the present invention, the cryptographic algorithm carried in the connection request sent by the mobile terminal is an algorithm on a cryptographic hardware accelerator of the mobile terminal.
When the sending unit 1301 sends the cryptographic algorithm upgrade package, the processing unit 1303 obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the connection request, and selects a plurality of target algorithm sets that need to be used when sending the cryptographic algorithm upgrade package, including: an upgrade package signature algorithm set, an upgrade package hash algorithm set and an upgrade package encryption algorithm set.
It should be noted that, in practical applications, in the process of protecting the upgrade package by the processing unit 1303, the processing unit 1303 may select other types of algorithm sets besides the upgrade package signature algorithm set, the upgrade package hash algorithm set, and the upgrade package encryption algorithm set, for example: and the integrity algorithm set and the like, in the embodiment of the present invention, three types of algorithms commonly used in the process of sending the cryptographic algorithm upgrade package are taken as examples for description, and when other types of algorithms are selected, the same manner in the embodiment of the present invention is also adopted for processing.
After determining the upgrade package signature algorithm set, the upgrade package hash algorithm set, and the upgrade package encryption algorithm set, the processing unit 1303 determines whether each type of algorithm has an algorithm in an available state according to the available or disabled attribute information in the algorithm state list, and if so, directly selects the algorithm in the available state. When all of one type of cryptographic algorithms are in a disabled state, one or more disabled cascading-enabled algorithms of the type are selected for cascading to generate a cascading algorithm.
For example: when all algorithms in the upgrade package signature algorithm set are in a disabled state, selecting one or more disabled algorithms from the algorithms in the upgrade package signature algorithm set to be cascaded to generate a cascaded upgrade package signature algorithm, and if available algorithms in the upgrade package hash algorithm set and the upgrade package encryption algorithm set are selectable, selecting one available upgrade package hash algorithm from the upgrade package hash algorithm set and selecting one available upgrade package encryption algorithm from the upgrade package encryption algorithm set.
When determining algorithms that need to be used when sending the cryptographic algorithm upgrade package, and when at least one type of algorithm is a cascade algorithm, the processing unit 1303 protects the upgrade package through the cascade algorithms and another available algorithm that does not need to be cascaded. The following specific manner of protecting the upgrade package is exemplified by the processing unit 1303 determining that the algorithm to be used when sending the upgrade package is the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm, and the cascade upgrade package encryption algorithm:
the processing unit 1303 hashes the upgrade package through a cascade upgrade package hashing algorithm, signs the upgrade package through a cascade upgrade package signing algorithm, and encrypts the upgrade package using a cascade upgrade package encryption algorithm.
After the processing unit 1303 protects the cryptographic algorithm upgrade package through the cascading algorithm, the sending unit 1301 sends the cryptographic algorithm upgrade package to the mobile terminal, where the cryptographic upgrade package includes a cascading indication of each cascading algorithm used, and the cascading indication is used to indicate the configuration and the cascading manner of each cascading algorithm used by the server.
After receiving the cryptographic algorithm upgrade package, the mobile terminal generates a corresponding cascade algorithm according to the cryptographic algorithm on the hardware accelerator through cascade instructions of all cascade algorithms.
If the processing unit 1303 uses the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm, and the cascade upgrade package encryption algorithm to protect the cryptographic algorithm upgrade package, the mobile terminal may generate the cascade signature algorithm according to the indication of the cascade upgrade package signature algorithm, generate the cascade upgrade package hash algorithm according to the indication of the cascade upgrade package hash algorithm, and generate the cascade upgrade package encryption algorithm according to the indication of the cascade upgrade package encryption algorithm. And then, the mobile terminal decrypts the upgrade package by using the cascade upgrade package encryption algorithm, performs signature verification on the upgrade package by using the cascade upgrade package signature algorithm, performs hash value verification on the upgrade package by using the cascade upgrade package hash algorithm, and performs cryptographic algorithm upgrade by using the cryptographic algorithm upgrade package if the verification is successful.
It should be noted that, in practical application, when the processing unit 1303 uses the cascade signature algorithm to sign the cryptographic algorithm upgrade package, the processing unit first uses the hash algorithm to hash the cryptographic algorithm upgrade package to obtain a hash value, and then uses the cascade signature algorithm to sign the hash value, and if the target hash algorithm set is also all disabled algorithms, the processing unit may also first use the cascade hash algorithm cryptographic algorithm upgrade package to hash to obtain the hash value, and then uses the cascade signature algorithm to sign the hash value.
In practical application, the upgrade package encryption algorithm may be a symmetric encryption algorithm or an asymmetric algorithm, and the upgrade package signature algorithm may be an asymmetric algorithm, for example: RSA algorithm, hash algorithm is a commonly used hash function.
In this embodiment of the present invention, when the sending unit 1301 sends a cryptographic algorithm upgrade package, the processing unit 1303 determines that an upgrade package signature algorithm set, an upgrade package hash algorithm set, and an upgrade package encryption algorithm set need to be used, and when all cryptographic algorithms in one type of algorithm set are in a disabled state, one or more algorithms of this type may be selected to be cascaded to generate a cascaded algorithm, and when other types of algorithms are selected, the same processing is performed. Then, the processing unit 1303 protects the cryptographic algorithm upgrade package through the cascaded algorithm, the sending unit 1301 sends the cryptographic algorithm upgrade package and the cascaded algorithm indication to the mobile terminal, and the mobile terminal upgrades the cryptographic algorithm according to the cascaded algorithm indication and the cryptographic algorithm upgrade package. Therefore, the safety of the cryptographic algorithm in the upgrading process is improved.
The above is a description of a server in the cryptographic algorithm upgrading process, and the following is a description of a mobile terminal in the cryptographic algorithm upgrading process.
With reference to fig. 14, a mobile terminal 14 provided in the embodiment of the present invention includes:
the processing unit 1401 is configured to detect a cryptographic algorithm upgrade signal sent by the server, where the cryptographic algorithm upgrade signal is used to indicate that a cryptographic algorithm upgrade package exists on the server;
a sending unit 1402, configured to send a connection request to a server, where the connection request includes information of an existing algorithm of a device to be upgraded, and the connection request is used to enable the server to generate a cascade algorithm according to the existing algorithm, where the cascade algorithm is an algorithm for cascade generation of one or more forbidden algorithms that allow cascade in the existing algorithms;
the processing unit 1401 is further configured to perform cryptographic algorithm upgrade according to the cascade algorithm and the cryptographic algorithm upgrade package.
In the embodiment of the present invention, after the processing unit 1401 detects a cryptographic algorithm upgrade signal sent by a server, the sending unit 1402 sends a connection request to the server, where the connection request includes information of an existing algorithm of the mobile terminal, the connection request is used to enable the server to generate a cascade algorithm according to the existing algorithm, the cascade algorithm is an algorithm generated by cascading one or more forbidden algorithms that allow cascading in the existing algorithm, and the processing unit 1401 upgrades the cryptographic algorithm according to the cascade algorithm and a cryptographic algorithm upgrade packet sent by the server. Therefore, when all the selectable algorithms are forbidden algorithms, the safety of the cipher algorithm in the upgrading process can be improved through the cascade of the forbidden algorithms.
With reference to fig. 15, a mobile terminal 15 provided in the embodiment of the present invention includes:
the processing unit 1501 is configured to detect a cryptographic algorithm upgrade signal sent by a server, where the cryptographic algorithm upgrade signal is used to indicate that a cryptographic algorithm upgrade package exists on the server;
a sending unit 1502, configured to send a connection request to a server, where the connection request includes information of an existing algorithm of a device to be upgraded, and the connection request is used to enable the server to generate a cascade algorithm according to the existing algorithm, where the cascade algorithm is an algorithm for cascade generation of one or more forbidden algorithms that allow cascade in the existing algorithms;
the processing unit 1501 is further configured to perform cryptographic algorithm upgrade according to the cascade algorithm and the cryptographic algorithm upgrade package.
A receiving unit 1503, configured to receive a cascade instruction sent by the server, where the cascade instruction is used to instruct a configuration and a cascade manner of a cascade algorithm; and the processing unit is also used for generating a cascade algorithm according to the cascade indication and the existing algorithm.
The processing unit 1501 is specifically configured to establish https secure connection with the server through a cascade https encryption algorithm; the receiving unit 1503 is further configured to receive a cryptographic algorithm upgrade packet sent by the server through the https secure connection, where the cryptographic algorithm upgrade packet is encrypted by a cascading https encryption algorithm; the processing unit 1501 is further specifically configured to decrypt the cryptographic algorithm upgrade packet according to the concatenated https encryption algorithm, and then perform cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
The processing unit 1501 is specifically configured to establish https secure connection with the server through a cascading https signature algorithm; the receiving unit 1503 is further configured to receive a cryptographic algorithm upgrade packet sent by the server through the https secure connection; the processing unit 1501 is further specifically configured to perform cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
The processing unit 1501 is specifically configured to establish https secure connection with the server through a cascade integrity algorithm; the receiving unit 1503 is further configured to receive a cryptographic algorithm upgrade packet sent by the server through https secure connection, where the cryptographic algorithm upgrade packet is integrity protected by a cascade integrity algorithm; the processing unit 1501 is further specifically configured to perform integrity check on the cryptographic algorithm upgrade package according to the cascade integrity algorithm; and if the verification is passed, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
The following describes the interaction between the unit modules in the mobile terminal 15 according to the present invention in a specific application scenario:
there are two existing forms of cryptographic algorithms for mobile terminals: an algorithm on a cryptographic hardware accelerator and a software-implemented algorithm, wherein the cryptographic hardware accelerator is: the cipher algorithm module is provided with a special hardware accelerator which is correspondingly arranged aiming at each cipher algorithm so as to improve the operation speed.
The upgrade of cryptographic algorithms involves two cases: 1) disabling algorithms on the hardware accelerator; or, 2) adding a software implemented algorithm.
When the server decides to disable a cryptographic algorithm on a hardware accelerator or add a software implemented algorithm, an upgrade signal is sent to the mobile terminal 15. The processing unit 1501 periodically checks whether there is an upgrade signal on the servers of the device manufacturer and the service operator.
The specific method of detection is prior art and will not be described in detail herein.
When the processing unit 1501 detects an upgrade signal, the sending unit 1502 sends a connection request to the server, where the request carries cryptographic algorithm information supported by the mobile terminal, that is, existing cryptographic algorithm information.
When software of the mobile terminal is upgraded (for example, cipher algorithm upgrading), various cipher algorithms are required to be used for protection, and usually, each cipher hardware accelerator is called to accelerate each cipher algorithm so as to improve the operation speed. Therefore, in the embodiment of the present invention, the cryptographic algorithm carried in the connection request sent by the mobile terminal is an algorithm on a cryptographic hardware accelerator of the mobile terminal.
The sending unit 1502 sends a request to the server to establish https connection, and the server obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the request, and then selects a plurality of target algorithm sets that need to be used in establishing https connection from the algorithms, including: the https encryption algorithm set, the integrity protection algorithm set and the https signature algorithm set.
It should be noted that, in practical applications, in addition to selecting the https encryption algorithm set, the integrity protection algorithm set, and the https signature algorithm set, the server may also select other types of algorithm sets in the process of establishing the https connection, for example: the embodiments of the present invention take three types of algorithms commonly used in the https connection establishment process as an example, and when other types of algorithms are selected, the same manner in the embodiments of the present invention is also used for processing.
After determining the https encryption algorithm set, the integrity protection algorithm set and the https signature algorithm set, the server determines whether each type of algorithm has an algorithm with an available state according to available or forbidden attribute information in the algorithm state list, and if the algorithm with the available state exists, the server directly selects the algorithm with the available state. When all of one type of cryptographic algorithms are in a disabled state, one or more disabled cascading-enabled algorithms of the type are selected for cascading to generate a cascading algorithm.
For example: when all algorithms in the https encryption algorithm set are in a disabled state, one or more disabled algorithms are selected from the algorithms in the https encryption algorithm set to be cascaded to generate a cascaded https encryption algorithm, if available algorithms in the integrity protection algorithm set and the https signature algorithm set are selectable, an available integrity protection algorithm is selected from the integrity protection algorithm set, and an available https signature algorithm is selected from the https signature algorithm set.
Among the algorithms that need to be used in the https secure connection determined by the server, when at least one type of algorithm is a cascade algorithm, the https secure connection is established with the processing unit 1501 of the mobile terminal 15 through the cascade algorithms and another available algorithm that does not need to be cascaded, which is described below by taking as an example the case where the algorithms that need to be used in the https secure connection determined by the server are all cascade algorithms:
the server adopts a cascade https encryption algorithm, a cascade integrity algorithm and a cascade https signature algorithm to establish https connection with the mobile terminal, and the specific process is as follows:
1) the server encrypts and sends the cascade indication of the cascade https encryption algorithm, the cascade integrity algorithm and the cascade https signature algorithm to the receiving unit 1503 of the mobile terminal 15 by using the public key of the mobile terminal, the cascade indication is used for indicating the composition and the cascade mode of each cascade algorithm used by the server, and sends the certificate of the server to the mobile terminal, and the certificate contains the public key of the server.
2) The processing unit 1501 decrypts the https cryptographic algorithm instruction, the cascade integrity algorithm instruction, and the cascade instruction of the https signature algorithm with the private key, selects a corresponding algorithm from the algorithms of the cryptographic hardware accelerator of the processing unit 1501 according to the cascade instruction, and generates a corresponding cascade https cryptographic algorithm, a cascade integrity algorithm, and a cascade https signature algorithm according to the cascade mode in the cascade instruction.
3) The processing unit 1501 generates a random number key;
4) the processing unit 1501 encrypts the random number key using the cascaded https signature algorithm, encrypts the random number key using the public key of the server, and encrypts the handshake message using the cascaded https signature algorithm and the cascaded integrity algorithm.
5) The transmission unit 1502 transmits the encrypted random number key and the encrypted handshake message to the server.
6) The server decrypts by using a private key, decrypts by using a cascade https signature algorithm to obtain the random number key, decrypts by using the random number key and a cascade https encryption algorithm to obtain handshake messages, and performs integrity verification on the handshake messages by using a cascade integrity algorithm.
7) And the server encrypts a section of handshake message by using the cascade https encryption algorithm and the key and encrypts the handshake message by using the cascade integrity algorithm.
8) The server transmits the encrypted handshake message to the receiving unit 1503 of the mobile terminal 15.
9) The processing unit 1501 decrypts the handshake message using the cascade https encryption algorithm and the key, and verifies the integrity of the handshake message using the cascade integrity algorithm. After the handshake is successful, the processing unit 1501 of the mobile terminal 15 successfully establishes https connection with the server.
After https secure connection is established between the mobile terminal 15 and the server, communication data subsequently sent in the https secure transmission channel are encrypted by using an https encryption algorithm used when connection is established, and meanwhile integrity of the communication data is protected by using an integrity algorithm.
After https secure connection is established between the mobile terminal 15 and the server, the server sends a cryptographic algorithm upgrade packet to the mobile terminal through the https secure connection, and the receiving unit 1503 of the mobile terminal receives the cryptographic algorithm upgrade packet sent by the server through the https secure connection.
If the https encryption algorithm used when establishing the https security connection is the concatenation algorithm, the upgrade packet received by the receiving unit 1503 is the upgrade packet encrypted by the encryption cryptographic algorithm of the concatenation https encryption algorithm, and if the integrity algorithm used when establishing the https connection is the concatenation integrity algorithm, the upgrade packet received by the receiving unit 1503 is the cryptographic algorithm upgrade packet protected by the concatenation integrity algorithm.
After the receiving unit 1503 receives the cryptographic algorithm upgrade package, the processing unit 1501 decrypts the cryptographic algorithm upgrade package through the cascade https encryption algorithm, meanwhile verifies the integrity of the cryptographic algorithm upgrade package through the cascade integrity algorithm, and if the verification is passed, upgrades the cryptographic algorithm through the cryptographic algorithm upgrade package.
In the embodiment of the present invention, when https security connection is established, an https encryption algorithm, an integrity protection algorithm, and an https signature algorithm need to be used, when all cryptographic algorithms in a type of algorithm set are in a disabled state, one or more algorithms of the type may be selected to be cascaded to generate a cascade algorithm, then, a processing unit 1501 of a mobile terminal 15 establishes https security connection with a server through the cascaded algorithms, and a receiving unit 1503 receives a cryptographic algorithm upgrade packet sent by the server through the https security connection. Therefore, the safety of the cryptographic algorithm in the upgrading process is improved.
With reference to fig. 16, a mobile terminal 16 provided in an embodiment of the present invention includes:
the processing unit 1601 is configured to detect a cryptographic algorithm upgrade signal sent by a server, where the cryptographic algorithm upgrade signal is used to indicate that a cryptographic algorithm upgrade package exists on the server;
a sending unit 1602, configured to send a connection request to a server, where the connection request includes information of an existing algorithm of a device to be upgraded, and the connection request is used to enable the server to generate a cascade algorithm according to the existing algorithm, where the cascade algorithm is an algorithm for cascade generation of one or more forbidden algorithms that allow cascade in the existing algorithms;
the processing unit 1601 is further configured to perform cryptographic algorithm upgrade according to the cascade algorithm and the cryptographic algorithm upgrade package.
A receiving unit 1603, configured to receive a cascade instruction sent by the server, where the cascade instruction is used to instruct a configuration and a cascade manner of a cascade algorithm; and the processing unit is also used for generating a cascade algorithm according to the cascade indication and the existing algorithm.
The receiving unit 1603 is further configured to receive a cryptographic algorithm upgrade package sent by the server, where the cryptographic algorithm upgrade package includes a signature algorithm indication of a cascade upgrade package; the processing unit 1601 is specifically configured to perform signature verification on the cryptographic algorithm upgrade package through a cascade signature algorithm; and if the verification is successful, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
The receiving unit 1603 is further configured to receive a cryptographic algorithm upgrade package and a hash value of the cryptographic algorithm upgrade package sent by the server, where the cryptographic algorithm upgrade package includes a hash algorithm indication of a cascade upgrade package; the processing unit 1601 is specifically configured to perform hash check on the cryptographic algorithm upgrade package through a cascade hash algorithm and a hash value; and if the verification is successful, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
The receiving unit 1603 is further configured to receive a cryptographic algorithm upgrade package sent by the server, where the cryptographic algorithm upgrade package includes a cascaded upgrade package encryption algorithm indication; the processing unit 1601 is specifically configured to decrypt the cryptographic algorithm upgrade package through a cascade encryption algorithm; and then, carrying out password algorithm upgrading according to the password algorithm upgrading packet.
The following describes the interaction between the unit modules in the mobile terminal 16 according to the present invention in a specific application scenario:
when the server decides to disable a cryptographic algorithm on a hardware accelerator or add a software implemented algorithm, an upgrade signal is sent to the mobile terminal 16. The processing unit 1601 periodically checks whether there is an upgrade signal on the device manufacturer's and service operator's servers.
When the processing unit 1601 detects the upgrade signal, the sending unit 1602 sends a connection request to the server, where the request carries cryptographic algorithm information supported by the mobile terminal, that is, existing cryptographic algorithm information.
When software of the mobile terminal is upgraded (for example, cipher algorithm upgrading), various cipher algorithms are required to be used for protection, and usually, each cipher hardware accelerator is called to accelerate each cipher algorithm so as to improve the operation speed. Therefore, in the embodiment of the present invention, the cryptographic algorithm carried in the connection request sent by the mobile terminal is an algorithm on a cryptographic hardware accelerator of the mobile terminal.
It should be noted that, in the embodiment of the present invention, before the mobile terminal receives the cryptographic algorithm upgrade packet sent by the server, an https connection request may be established with the mobile terminal, and specifically, a process of establishing an https secure connection refers to the description in the embodiment shown in fig. 8.
When the server sends the cryptographic algorithm upgrade package, the server obtains cryptographic algorithm information on a hardware accelerator of the mobile terminal from the connection request, and selects a plurality of target algorithm sets which need to be used when the cryptographic algorithm upgrade package is sent, wherein the target algorithm sets comprise: an upgrade package signature algorithm set, an upgrade package hash algorithm set and an upgrade package encryption algorithm set.
It should be noted that, in practical applications, in the process of sending the cryptographic algorithm upgrade package by the server, in addition to selecting the upgrade package signature algorithm set, the upgrade package hash algorithm set, and the upgrade package encryption algorithm set, other types of algorithm sets may also be selected, for example: and the integrity algorithm set and the like, in the embodiment of the present invention, three types of algorithms commonly used in the process of sending the cryptographic algorithm upgrade package are taken as examples for description, and when other types of algorithms are selected, the same manner in the embodiment of the present invention is also adopted for processing.
After determining the upgrade package signature algorithm set, the upgrade package hash algorithm set and the upgrade package encryption algorithm set, the server determines whether each type of algorithm has an algorithm with an available state according to available or forbidden attribute information in the algorithm state list, and if the algorithm with the available state exists, the server directly selects the algorithm with the available state. When all of one type of cryptographic algorithms are in a disabled state, one or more disabled cascading-enabled algorithms of the type are selected for cascading to generate a cascading algorithm.
For example: when all algorithms in the upgrade package signature algorithm set are in a disabled state, selecting one or more disabled algorithms from the algorithms in the upgrade package signature algorithm set to be cascaded to generate a cascaded upgrade package signature algorithm, and if available algorithms in the upgrade package hash algorithm set and the upgrade package encryption algorithm set are selectable, selecting one available upgrade package hash algorithm from the upgrade package hash algorithm set and selecting one available upgrade package encryption algorithm from the upgrade package encryption algorithm set.
When the server determines algorithms required to be used when the cryptographic algorithm upgrading packet is sent, and at least one type of algorithm is a cascading algorithm, the upgrading packet is protected through the cascading algorithms and other available algorithms which do not need to be cascaded. The following specific manner of protecting the upgrade package is exemplified by taking the algorithm that the server determines to use when sending the upgrade package as the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm, and the cascade upgrade package encryption algorithm:
the server hashes the upgrade package through a cascade upgrade package hashing algorithm, signs the upgrade package through a cascade upgrade package signing algorithm, and encrypts the upgrade package through a cascade upgrade package encryption algorithm.
The server transmits the protected cryptographic algorithm upgrade package to the mobile terminal 16, and the receiving unit 1603 of the mobile terminal 16 receives the cryptographic algorithm upgrade package transmitted by the server. The upgrade package includes a cascade instruction of each cascade algorithm used, and the cascade instruction is used for instructing the configuration and the cascade mode of each cascade algorithm used by the server.
After the receiving unit 1603 receives the cryptographic algorithm upgrade package, the processing unit 1601 generates a corresponding cascade algorithm according to the cryptographic algorithm on the hardware accelerator thereof through the cascade indication of each cascade algorithm in the upgrade package.
If the server uses the cascade upgrade package signature algorithm, the cascade upgrade package hash algorithm, and the cascade upgrade package encryption algorithm to protect the cryptographic algorithm upgrade package, the processing unit 1601 may generate the cascade signature algorithm according to the indication of the cascade upgrade package signature algorithm, generate the cascade upgrade package hash algorithm according to the indication of the cascade upgrade package hash algorithm, and generate the cascade upgrade package encryption algorithm according to the indication of the cascade upgrade package encryption algorithm.
The processing unit 1601 decrypts the upgrade package by using a cascade upgrade package encryption algorithm, performs signature verification on the upgrade package by using a cascade upgrade package signature algorithm, and performs hash value verification on the upgrade package by using a cascade upgrade package hash algorithm.
If the processing unit 1601 successfully decrypts the upgrade package by using the cascade upgrade package encryption algorithm, then successfully signs and verifies the upgrade package by using the cascade upgrade package signing algorithm, and then successfully verifies the hash value of the upgrade package by using the cascade upgrade package hash algorithm, then the processing unit 1601 uses the cryptographic algorithm upgrade package to perform cryptographic algorithm upgrade.
In the embodiment of the present invention, the receiving unit 1602 receives an upgrade package that is protected by an upgrade package signature algorithm, an upgrade package hash algorithm, and an upgrade package encryption algorithm and sent by a server, when all cryptographic algorithms in one type of algorithm set are disabled, the server uses a cascade algorithm generated by cascading one or more algorithms of this type to protect the upgrade package, after the receiving unit 1602 receives the upgrade package, the processing unit 1601 generates a corresponding cascade algorithm according to an instruction of the cascade algorithm in the upgrade package, verifies the upgrade package by the cascade algorithm, and performs cryptographic algorithm upgrade after the verification passes. Therefore, the upgrading safety of the cryptographic algorithm is ensured when all the algorithms selectable by the server are forbidden algorithms in the upgrading process.
In the above, the server in the embodiment of the present invention is described from the perspective of the modular functional entity, and in the following, the server in the embodiment of the present invention is described from the perspective of the hardware processing, referring to fig. 17, another embodiment of the server 17 in the embodiment of the present invention includes:
a receiver 1701, a transmitter 1702, a processor 1703 and a memory 1704 (wherein the number of processors 1701 in the network device 17 may be one or more, as exemplified by one processor 1701 in fig. 17). In some embodiments of the invention, the receiver 1701, the transmitter 1702, the processor 1703 and the memory 1704 may be connected by a bus or other means, wherein the connection by a bus is exemplified in fig. 17.
Wherein the content of the first and second substances,
by invoking the operation instructions stored in the memory 1704, the processor 1703 is configured to perform the following steps:
sending a cryptographic algorithm upgrade signal to the device to be upgraded via a transmitter 1702, the cryptographic algorithm upgrade signal being used to indicate that a cryptographic algorithm upgrade package exists on the server;
receiving a connection request sent by equipment to be upgraded through a receiver 1701, wherein the connection request comprises information of an existing algorithm of the equipment to be upgraded;
when the algorithms in the target algorithm set are determined to be forbidden algorithms, one or more forbidden algorithms are selected from the target algorithm set to be cascaded to generate a cascaded algorithm, wherein the target algorithm set is a set of algorithms in the existing algorithms; and then, the equipment to be upgraded is subjected to cryptographic algorithm upgrading through the cascade algorithm and the cryptographic algorithm upgrading packet.
Optionally, the processor 1703 is further configured to perform the following steps:
obtaining attribute information of target algorithms in the target algorithm set, determining forbidden algorithms allowing cascade connection according to the attribute information, and selecting one or more forbidden algorithms allowing cascade connection to carry out cascade connection so as to generate a cascade algorithm.
Optionally, the processor 1703 is further configured to perform the following steps:
judging whether the target algorithm is the algorithm to be forbidden indicated in the upgrade package, if so, determining that the target algorithm is the forbidden algorithm; or, the method is further used for determining whether the target algorithm is in a disabled state according to the information of the existing algorithm, and if so, determining that the target algorithm is the disabled algorithm.
Optionally, the processor 1703 is further configured to perform the following steps:
and sending a cascade instruction to the equipment to be upgraded by using the transmitter 1702 so that the equipment to be upgraded generates a cascade algorithm according to the cascade instruction and the existing algorithm, wherein the cascade instruction is used for indicating the composition and the cascade mode of the cascade algorithm.
Optionally, the processor 1703 is further configured to perform the following steps:
establishing https secure connection with equipment to be upgraded through a cascade https encryption algorithm; the transmitter 1702 is utilized to send a cryptographic algorithm upgrade package to the device to be upgraded via an https secure connection, the cryptographic algorithm upgrade package being encrypted by a concatenated https encryption algorithm.
Optionally, the processor 1703 is further configured to perform the following steps:
establishing https secure connection with equipment to be upgraded through a cascading https signature algorithm; the cryptographic algorithm upgrade package is sent to the device to be upgraded over the https secure connection using the transmitter 1702.
Optionally, the processor 1703 is further configured to perform the following steps:
establishing https secure connection with equipment to be upgraded through a cascade integrity algorithm; the transmitter 1702 is utilized to send cryptographic algorithm upgrade packets to the device to be upgraded via https secure connection, the cryptographic algorithm upgrade packets being integrity protected by a cascade integrity algorithm.
Optionally, the processor 1703 is further configured to perform the following steps:
signing the cryptographic algorithm upgrade package through a cascade upgrade package signing algorithm; a cryptographic algorithm upgrade package is sent to the device to be upgraded using the transmitter 1702, the cryptographic algorithm upgrade package including a concatenated upgrade package signature algorithm indication.
Optionally, the processor 1703 is further configured to perform the following steps:
selecting a target hash algorithm from existing algorithms; hashing the upgrade package through a target hashing algorithm to obtain a hashing value of the cipher algorithm upgrade package; and signing the hash value of the cryptographic algorithm upgrading packet through a cascade signature algorithm.
Optionally, the processor 1703 is further configured to perform the following steps:
hashing the cipher algorithm upgrading packet through a cascading upgrading packet hashing algorithm to obtain a hashing value of the cipher algorithm upgrading packet; the transmitter 1702 is utilized to send a cryptographic algorithm upgrade package and a hash value to the device to be upgraded, where the cryptographic algorithm upgrade package includes a concatenated upgrade package hash algorithm indication.
Optionally, the processor 1703 is further configured to perform the following steps:
encrypting the cryptographic algorithm upgrade package through a cascade upgrade package encryption algorithm; the transmitter 1702 is utilized to send a cryptographic algorithm upgrade package to the device to be upgraded, where the cryptographic algorithm upgrade package includes a cascaded upgrade package encryption algorithm indication.
In the embodiment of the present invention, the transmitter 1702 sends a cryptographic algorithm upgrade signal to the mobile terminal, and after the receiver 1701 receives a connection request sent by the mobile terminal, when the processor 1703 determines that all algorithms in the target algorithm set are disabled algorithms, at this time, the processor 1703 selects one or more target algorithms from the target algorithm set to perform cascade generation of a cascade algorithm instead of directly selecting the disabled algorithms and performing cryptographic algorithm upgrade on the mobile terminal, and performs cryptographic algorithm upgrade on the mobile terminal through the cascade algorithm and the cryptographic algorithm upgrade packet. The cascade algorithm can effectively enhance the safety intensity of the algorithm, so that the safety of the cryptographic algorithm in the upgrading process can be effectively improved.
Referring to fig. 18, a mobile terminal in an embodiment of the present invention is described below from the perspective of hardware processing, where another embodiment of the mobile terminal 18 in an embodiment of the present invention includes:
a receiver 1801, a transmitter 1802, a processor 1803, and a memory 1804 (where the number of processors 1801 in the network device 18 may be one or more, and one processor 1801 is taken as an example in fig. 18). In some embodiments of the invention, the receiver 1801, the transmitter 1802, the processor 1803, and the memory 1804 may be connected by a bus or other means, wherein connection by a bus is illustrated in fig. 18.
Wherein the content of the first and second substances,
by invoking the operational instructions stored by the memory 1804, the processor 1803 is configured to perform the following steps:
detecting a cryptographic algorithm upgrading signal sent by a server, wherein the cryptographic algorithm upgrading signal is used for indicating that a cryptographic algorithm upgrading packet exists on the server;
sending a connection request to a server by using a transmitter 1802, wherein the connection request comprises information of an existing algorithm of equipment to be upgraded, the connection request is used for enabling the server to generate a cascade algorithm according to the existing algorithm, and the cascade algorithm is an algorithm for cascade generation of one or more forbidden algorithms allowing cascade in the existing algorithm;
and carrying out cipher algorithm upgrading according to the cascade algorithm and the cipher algorithm upgrading packet.
Optionally, the processor 1803 is further configured to perform the following steps:
a receiver 1801 is used for receiving a cascading instruction sent by a server, wherein the cascading instruction is used for indicating the composition and the cascading mode of a cascading algorithm; and generating a cascading algorithm according to the cascading indication and the existing algorithm.
Optionally, the processor 1803 is further configured to perform the following steps:
establishing https secure connection with a server through a cascading https encryption algorithm; a receiver 1801 is used for receiving a cryptographic algorithm upgrading packet sent by a server through https secure connection, wherein the cryptographic algorithm upgrading packet is encrypted by a cascading https encryption algorithm; and decrypting the cryptographic algorithm upgrading packet according to the cascade https encryption algorithm, and then upgrading the cryptographic algorithm according to the cryptographic algorithm upgrading packet.
Optionally, the processor 1803 is further configured to perform the following steps:
establishing https secure connection with a server through a cascading https signature algorithm; a receiver 1801 is used for receiving a cryptographic algorithm upgrading packet sent by a server through https secure connection; and carrying out cipher algorithm upgrading according to the cipher algorithm upgrading packet.
Optionally, the processor 1803 is further configured to perform the following steps:
establishing https secure connection with a server through a cascade integrity algorithm; a receiver 1801 is used for receiving a cryptographic algorithm upgrading packet sent by a server through https secure connection, and the cryptographic algorithm upgrading packet is subjected to integrity protection through a cascade integrity algorithm; integrity check is carried out on the cipher algorithm upgrading packet according to a cascade integrity algorithm; and if the verification is passed, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
Optionally, the processor 1803 is further configured to perform the following steps:
a receiver 1801 is used for receiving a cryptographic algorithm upgrade package sent by a server, wherein the cryptographic algorithm upgrade package comprises a cascading upgrade package signature algorithm indication; performing signature verification on the cryptographic algorithm upgrade package through a cascade signature algorithm; and if the verification is successful, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
Optionally, the processor 1803 is further configured to perform the following steps:
a receiver 1801 is used for receiving a cryptographic algorithm upgrade package and a hash value of the cryptographic algorithm upgrade package sent by a server, wherein the cryptographic algorithm upgrade package comprises a cascading upgrade package hash algorithm indication; performing Hash check on the cryptographic algorithm upgrading packet through a cascading Hash algorithm and a Hash value; and if the verification is successful, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
Optionally, the processor 1803 is further configured to perform the following steps:
a receiver 1801 is used for receiving a cryptographic algorithm upgrade package sent by a server, wherein the cryptographic algorithm upgrade package comprises a cascade upgrade package encryption algorithm indication; decrypting the cryptographic algorithm upgrade package through a cascade encryption algorithm; and then, carrying out password algorithm upgrading according to the password algorithm upgrading packet.
In the embodiment of the present invention, after the processor 1803 detects a cryptographic algorithm upgrade signal sent by a server, the transmitter 1802 sends a connection request to the server, where the connection request includes information of an existing algorithm of the mobile terminal, the connection request is used to enable the server to generate a cascade algorithm according to the existing algorithm, the cascade algorithm is an algorithm generated by cascading one or more forbidden algorithms that allow cascading in the existing algorithm, and the processor 1803 performs cryptographic algorithm upgrade according to the cascade algorithm and a cryptographic algorithm upgrade packet sent by the server. Therefore, when all the selectable algorithms are forbidden algorithms, the safety of the cipher algorithm in the upgrading process can be improved through the cascade of the forbidden algorithms.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (40)
- A method for cryptographic algorithm upgrade, comprising:the method comprises the steps that a server sends a cipher algorithm upgrading signal to equipment to be upgraded, wherein the cipher algorithm upgrading signal is used for indicating that a cipher algorithm upgrading packet exists on the server;the server receives a connection request sent by the equipment to be upgraded, wherein the connection request comprises information of an existing algorithm of the equipment to be upgraded;when the algorithms in the target algorithm set are determined to be forbidden algorithms, the server selects one or more forbidden algorithms from the target algorithm set to cascade to generate a cascade algorithm, wherein the target algorithm set is a set of algorithms in the existing algorithms;and the server carries out cryptographic algorithm upgrading on the equipment to be upgraded through the cascade algorithm and the cryptographic algorithm upgrading packet.
- The method of claim 1, wherein the server selecting one or more forbidden algorithms from the set of target algorithms for cascading to generate a cascading algorithm comprises:the server acquires attribute information of a target algorithm in the target algorithm set;the server determines a disabling algorithm allowing cascade connection according to the attribute information;the server selects one or more cascading-enabled disabling algorithms to cascade to generate the cascading algorithm.
- The method of claim 1, further comprising:the server judges whether the target algorithm is the algorithm to be forbidden indicated in the upgrade package, and if so, the target algorithm is determined to be the forbidden algorithm;or the like, or, alternatively,and the server determines whether the target algorithm is in a forbidden state according to the information of the existing algorithm, and if so, the server determines that the target algorithm is the forbidden algorithm.
- The method according to any one of claims 1 to 3, further comprising:and the server sends a cascade instruction to the equipment to be upgraded so that the equipment to be upgraded generates the cascade algorithm according to the cascade instruction and the existing algorithm, wherein the cascade instruction is used for indicating the composition and the cascade mode of the cascade algorithm.
- The method of claim 4,the existing algorithm is an algorithm on a hardware accelerator of the equipment to be upgraded.
- The method of claim 5, wherein:the target algorithm set comprises an https encryption algorithm set, the cascade algorithm comprises a cascade https encryption algorithm, and the cascade indication comprises a cascade https encryption algorithm indication;the step of the server performing cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package includes:the server establishes https secure connection with the equipment to be upgraded through the cascade https encryption algorithm;and the server sends the cryptographic algorithm upgrading packet to the equipment to be upgraded through the https secure connection, wherein the cryptographic algorithm upgrading packet is encrypted by the cascading https encryption algorithm, so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
- The method of claim 5, wherein:the target algorithm set comprises an https signature algorithm set, the cascade algorithm comprises a cascade https signature algorithm, and the cascade indication comprises a cascade https signature algorithm indication;the step of the server performing cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package includes:the server establishes https secure connection with the equipment to be upgraded through the cascading https signature algorithm;and the server sends the cryptographic algorithm upgrading packet to the equipment to be upgraded through the https secure connection, so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
- The method of claim 5, wherein:the target set of algorithms comprises a set of integrity algorithms, the cascade algorithms comprise cascade integrity algorithms, and the cascade indication comprises a cascade integrity algorithm indication;the step that the server carries out the cryptographic algorithm upgrading on the equipment to be upgraded through the cascade algorithm and the cryptographic algorithm upgrading packet comprises the following steps:the server establishes https secure connection with the equipment to be upgraded through the cascade integrity algorithm;and the server sends the cryptographic algorithm upgrading packet to the equipment to be upgraded through the https secure connection, and the cryptographic algorithm upgrading packet is subjected to integrity protection by the cascade integrity algorithm so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
- The method of claim 5, wherein:the target algorithm set comprises an upgrade package signature algorithm set, the cascade algorithm comprises a cascade upgrade package signature algorithm, and the cascade indication comprises a cascade upgrade package signature algorithm indication;the step of the server performing cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package includes:the server signs the cryptographic algorithm upgrading packet through the cascading upgrading packet signature algorithm;and the server sends the cryptographic algorithm upgrading packet to the equipment to be upgraded, wherein the cryptographic algorithm upgrading packet comprises the cascading upgrading packet signature algorithm indication, so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
- The method of claim 9, further comprising:the server selects a target hash algorithm from the existing algorithms;the server hashes the upgrade package through the target hash algorithm to obtain a hash value of the cipher algorithm upgrade package;the server signing the cryptographic algorithm upgrade package through the cascade signature algorithm comprises the following steps:and the server signs the hash value of the cryptographic algorithm upgrading packet through the cascade signature algorithm.
- The method of claim 5, wherein:the target algorithm set comprises an upgrade package hash algorithm set, the cascade algorithm comprises a cascade upgrade package hash algorithm, and the cascade algorithm indication comprises a cascade upgrade package hash algorithm indication;the step of the server performing cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package includes:the server hashes the cryptographic algorithm upgrading packet through the cascading upgrading packet hash algorithm to obtain a hash value of the cryptographic algorithm upgrading packet;and the server sends the cryptographic algorithm upgrading packet and the hash value to the equipment to be upgraded, wherein the cryptographic algorithm upgrading packet comprises a hash algorithm indication of the cascade upgrading packet, so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
- The method of claim 5, wherein:the target algorithm set comprises an upgrade package encryption algorithm set, the cascaded algorithm comprises a cascaded upgrade package encryption algorithm, and the cascaded algorithm indication comprises a cascaded upgrade package encryption algorithm indication;the step of the server performing cryptographic algorithm upgrade on the device to be upgraded through the cascade algorithm and the cryptographic algorithm upgrade package includes:the server encrypts the cryptographic algorithm upgrading packet through the cascade upgrading packet encryption algorithm;and the server sends the cryptographic algorithm upgrading packet to the equipment to be upgraded, wherein the cryptographic algorithm upgrading packet comprises the cascading upgrading packet encryption algorithm indication, so that the equipment to be upgraded is subjected to cryptographic algorithm upgrading.
- A method for cryptographic algorithm upgrade, comprising:the method comprises the steps that equipment to be upgraded detects a cryptographic algorithm upgrading signal sent by a server, wherein the cryptographic algorithm upgrading signal is used for indicating that a cryptographic algorithm upgrading packet exists on the server;the equipment to be upgraded sends a connection request to the server, wherein the connection request contains information of an existing algorithm of the equipment to be upgraded, the connection request is used for enabling the server to generate a cascade algorithm according to the existing algorithm, and the cascade algorithm is an algorithm for cascade generation of one or more forbidden algorithms allowing cascade in the existing algorithms;and the equipment to be upgraded carries out cryptographic algorithm upgrading according to the cascade algorithm and the cryptographic algorithm upgrading packet.
- The method of claim 13, further comprising:the equipment to be upgraded receives a cascading instruction sent by the server, wherein the cascading instruction is used for indicating the composition and the cascading mode of the cascading algorithm;and the equipment to be upgraded generates the cascade algorithm according to the cascade indication and the existing algorithm.
- The method according to claim 13 or 14,the existing algorithm is an algorithm on a hardware accelerator of the equipment to be upgraded.
- The method of claim 15, wherein:the cascade algorithm comprises a cascade https encryption algorithm, and the cascade indication comprises a cascade https encryption algorithm indication;the password algorithm upgrading of the device to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises:the equipment to be upgraded establishes https secure connection with the server through the cascade https encryption algorithm;the equipment to be upgraded receives the cryptographic algorithm upgrading packet sent by the server through the https secure connection, wherein the cryptographic algorithm upgrading packet is encrypted by the cascading https encryption algorithm;the equipment to be upgraded decrypts the cryptographic algorithm upgrading packet according to the cascade https encryption algorithm;and the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
- The method of claim 15, wherein:the cascade algorithm comprises a cascade https signature algorithm, and the cascade indication comprises a cascade https signature algorithm indication;the password algorithm upgrading of the device to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises:the equipment to be upgraded establishes https secure connection with the server through the cascading https signature algorithm;the equipment to be upgraded receives the cryptographic algorithm upgrading packet sent by the server through the https secure connection;and the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
- The method of claim 15, wherein:the cascade algorithm comprises a cascade integrity algorithm, the cascade indication comprises a cascade integrity algorithm indication;the password algorithm upgrading of the device to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises:the equipment to be upgraded establishes https secure connection with the server through the cascade integrity algorithm;the equipment to be upgraded receives the cryptographic algorithm upgrading packet sent by the server through the https secure connection, and the cryptographic algorithm upgrading packet is subjected to integrity protection by the cascade integrity algorithm;the equipment to be upgraded carries out integrity verification on the cryptographic algorithm upgrading packet according to the cascade integrity algorithm;and if the verification is passed, the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
- The method of claim 15, wherein:the cascade algorithm comprises a cascade upgrade package signature algorithm, and the cascade indication comprises a cascade upgrade package signature algorithm indication;the password algorithm upgrading of the equipment to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises the following steps:the equipment to be upgraded receives the cryptographic algorithm upgrading packet sent by the server, wherein the cryptographic algorithm upgrading packet comprises the signature algorithm indication of the cascade upgrading packet;the equipment to be upgraded carries out signature verification on the cryptographic algorithm upgrading packet through the cascade signature algorithm;and if the verification is successful, the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
- The method of claim 15,the cascade algorithm comprises a cascade upgrade packet hash algorithm, and the cascade indication comprises a cascade upgrade packet hash algorithm indication;the password algorithm upgrading of the equipment to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises the following steps:the equipment to be upgraded receives the cryptographic algorithm upgrading packet and the hash value of the cryptographic algorithm upgrading packet sent by the server, wherein the cryptographic algorithm upgrading packet comprises the hash algorithm indication of the cascade upgrading packet;the equipment to be upgraded performs hash check on the cryptographic algorithm upgrading packet through the cascade hash algorithm and the hash value;and if the verification is successful, the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
- The method of claim 15,the cascade algorithm comprises a cascade upgrade package encryption algorithm, and the cascade indication comprises a cascade upgrade package encryption algorithm indication;the password algorithm upgrading of the equipment to be upgraded according to the cascade algorithm and the password algorithm upgrading packet comprises the following steps:the equipment to be upgraded receives the cryptographic algorithm upgrading packet sent by the server, wherein the cryptographic algorithm upgrading packet comprises the encryption algorithm indication of the cascade upgrading packet;the equipment to be upgraded decrypts the cryptographic algorithm upgrading packet through the cascade encryption algorithm;and the equipment to be upgraded carries out the cryptographic algorithm upgrade according to the cryptographic algorithm upgrade packet.
- A server, characterized in that the server comprises:the device comprises a sending unit, a receiving unit and a processing unit, wherein the sending unit is used for sending a cryptographic algorithm upgrading signal to equipment to be upgraded, and the cryptographic algorithm upgrading signal is used for indicating that a cryptographic algorithm upgrading packet exists on the server;the receiving unit is used for receiving a connection request sent by the equipment to be upgraded, wherein the connection request contains information of an existing algorithm of the equipment to be upgraded;the processing unit is used for selecting one or more forbidden algorithms from the target algorithm set to be cascaded to generate a cascaded algorithm when the algorithms in the target algorithm set are all forbidden algorithms, wherein the target algorithm set is the set of algorithms in the existing algorithms;and the processing unit is also used for carrying out cryptographic algorithm upgrading on the equipment to be upgraded through the cascade algorithm and the cryptographic algorithm upgrading packet.
- The server according to claim 22,the processing unit is specifically configured to obtain attribute information of a target algorithm in the target algorithm set, determine a forbidden algorithm that allows cascading according to the attribute information, and select one or more forbidden algorithms that allow cascading for cascading to generate the cascaded algorithm.
- The server according to claim 22,the processing unit is further configured to determine whether the target algorithm is an algorithm to be disabled indicated in the upgrade package, and if so, determine that the target algorithm is a disabled algorithm; or, the target algorithm is further used for determining whether the target algorithm is in a forbidden state according to the information of the existing algorithm, and if so, the target algorithm is determined to be a forbidden algorithm.
- The server according to any one of claims 22 to 24,the sending unit is further configured to send a cascade instruction to the device to be upgraded, so that the device to be upgraded generates the cascade algorithm according to the cascade instruction and the existing algorithm, where the cascade instruction is used to instruct a configuration and a cascade manner of the cascade algorithm.
- The server according to claim 25,if the target algorithm set comprises an https encryption algorithm set, the cascade algorithm comprises a cascade https encryption algorithm, and the cascade indication comprises a cascade https encryption algorithm indication;the processing unit is specifically further configured to establish https secure connection with the device to be upgraded through a cascaded https encryption algorithm;the sending unit is further configured to send the cryptographic algorithm upgrade package to the device to be upgraded through the https secure connection, where the cryptographic algorithm upgrade package is encrypted by the cascaded https encryption algorithm.
- The server according to claim 25,if the target algorithm set comprises an https signature algorithm set, the cascade algorithm comprises a cascade https signature algorithm, and the cascade indication comprises a cascade https signature algorithm indication;the processing unit is specifically further configured to establish https secure connection with the device to be upgraded through the cascaded https signature algorithm;the sending unit is further configured to send the cryptographic algorithm upgrade package to the device to be upgraded through the https secure connection.
- The server according to claim 25,if the target algorithm set comprises an integrity algorithm set, the cascade algorithm comprises a cascade integrity algorithm, and the cascade indication comprises a cascade integrity algorithm indication;the processing unit is specifically further configured to establish https secure connection with the device to be upgraded through the cascade integrity algorithm;the sending unit is further configured to send the cryptographic algorithm upgrade package to the device to be upgraded through the https secure connection, where the cryptographic algorithm upgrade package is integrity-protected by the cascade integrity algorithm.
- The server according to claim 25,if the target algorithm set comprises an upgrade package signature algorithm set, the cascade algorithm comprises a cascade upgrade package signature algorithm, and the cascade instruction comprises a cascade upgrade package signature algorithm instruction;the processing unit is specifically further configured to sign the cryptographic algorithm upgrade package through the cascade upgrade package signature algorithm;the sending unit is further configured to send the cryptographic algorithm upgrade package to the device to be upgraded, where the cryptographic algorithm upgrade package includes the signature algorithm indication of the cascade upgrade package.
- The server according to claim 29,the processing unit is further used for selecting a target hash algorithm from the existing algorithms; hashing the upgrade package through the target hash algorithm to obtain a hash value of the cipher algorithm upgrade package;the signing of the cryptographic algorithm upgrade package by the processing unit through the cascade upgrade package signature algorithm is specifically to sign the hash value of the cryptographic algorithm upgrade package through the cascade signature algorithm.
- The server according to claim 25,if the target algorithm set comprises an upgrade package hash algorithm set, the cascade algorithm comprises a cascade upgrade package hash algorithm, and the cascade algorithm indication comprises a cascade upgrade package hash algorithm indication;the processing unit is specifically further configured to hash the cryptographic algorithm upgrade package through the concatenated upgrade package hash algorithm to obtain a hash value of the cryptographic algorithm upgrade package;the sending unit is further configured to send the cryptographic algorithm upgrade package and the hash value to the device to be upgraded, where the cryptographic algorithm upgrade package includes the hash algorithm indication of the cascade upgrade package.
- The server according to claim 25,if the target algorithm set comprises an upgrade package encryption algorithm set, the cascade algorithm comprises a cascade upgrade package encryption algorithm, and the cascade algorithm indication comprises a cascade upgrade package encryption algorithm indication;the processing unit is specifically further configured to encrypt the cryptographic algorithm upgrade package by the cascade upgrade package encryption algorithm;the sending unit is further configured to send the cryptographic algorithm upgrade package to the device to be upgraded, where the cryptographic algorithm upgrade package includes the indication of the encryption algorithm of the cascade upgrade package.
- A mobile terminal, comprising:the system comprises a processing unit, a processing unit and a processing unit, wherein the processing unit is used for detecting a cryptographic algorithm upgrading signal sent by a server, and the cryptographic algorithm upgrading signal is used for indicating that a cryptographic algorithm upgrading packet exists on the server;a sending unit, configured to send a connection request to the server, where the connection request includes information of an existing algorithm of the device to be upgraded, and the connection request is used to enable the server to generate a cascade algorithm according to the existing algorithm, where the cascade algorithm is an algorithm for cascade generation of one or more forbidden algorithms that allow cascade in the existing algorithms;and the processing unit is also used for carrying out cryptographic algorithm upgrading according to the cascade algorithm and the cryptographic algorithm upgrading packet.
- The mobile terminal of claim 33, wherein the mobile terminal further comprises:a receiving unit, configured to receive a cascade instruction sent by the server, where the cascade instruction is used to instruct a configuration and a cascade manner of the cascade algorithm;the processing unit is further configured to generate the cascade algorithm according to the cascade indication and the existing algorithm.
- The mobile terminal of claim 34,if the cascade algorithm comprises a cascade https encryption algorithm, the cascade indication comprises a cascade https encryption algorithm indication;the processing unit is specifically configured to establish https secure connection with the server through the cascaded https encryption algorithm;the receiving unit is further configured to receive the cryptographic algorithm upgrade packet sent by the server through the https secure connection, where the cryptographic algorithm upgrade packet is encrypted by the cascaded https encryption algorithm;the processing unit is specifically further configured to decrypt the cryptographic algorithm upgrade package according to the cascaded https encryption algorithm, and then perform cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
- The mobile terminal of claim 34,if the cascade algorithm comprises a cascade https signature algorithm, the cascade indication comprises a cascade https signature algorithm indication;the processing unit is specifically configured to establish an https secure connection with the server through the cascaded https signature algorithm;the receiving unit is further configured to receive the cryptographic algorithm upgrade packet sent by the server through the https secure connection;the processing unit is specifically further configured to perform cryptographic algorithm upgrade according to the cryptographic algorithm upgrade package.
- The mobile terminal of claim 34,if the cascade algorithm comprises a cascade integrity algorithm, the cascade indication comprises a cascade integrity algorithm indication;the processing unit is specifically configured to establish https secure connection with the server through the cascade integrity algorithm;the receiving unit is further configured to receive the cryptographic algorithm upgrade packet sent by the server through the https secure connection, where the cryptographic algorithm upgrade packet is integrity protected by the cascade integrity algorithm;the processing unit is specifically further configured to perform integrity check on the cryptographic algorithm upgrade package according to the cascade integrity algorithm; and if the verification is passed, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
- The mobile terminal of claim 34,if the cascade algorithm comprises a cascade upgrade package signature algorithm, the cascade indication comprises a cascade upgrade package signature algorithm indication;the receiving unit is further configured to receive the cryptographic algorithm upgrade package sent by the server, where the cryptographic algorithm upgrade package includes the signature algorithm indication of the cascade upgrade package;the processing unit is specifically configured to perform signature verification on the cryptographic algorithm upgrade package through the cascade signature algorithm; and if the verification is successful, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
- The mobile terminal of claim 34,if the cascade algorithm comprises a cascade upgrade packet hash algorithm, the cascade indication comprises a cascade upgrade packet hash algorithm indication;the receiving unit is further configured to receive the cryptographic algorithm upgrade package and a hash value of the cryptographic algorithm upgrade package sent by the server, where the cryptographic algorithm upgrade package includes the hash algorithm indication of the cascade upgrade package;the processing unit is specifically configured to perform hash check on the cryptographic algorithm upgrade package through the cascade hash algorithm and the hash value; and if the verification is successful, carrying out the cryptographic algorithm upgrading according to the cryptographic algorithm upgrading packet.
- The mobile terminal of claim 34,if the cascade algorithm comprises a cascade upgrade packet encryption algorithm, the cascade indication comprises a cascade upgrade packet encryption algorithm indication;the receiving unit is further configured to receive the cryptographic algorithm upgrade package sent by the server, where the cryptographic algorithm upgrade package includes the indication of the encryption algorithm of the cascade upgrade package;the processing unit is specifically configured to decrypt the cryptographic algorithm upgrade package through the cascade encryption algorithm; and then, carrying out password algorithm upgrading according to the password algorithm upgrading packet.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2015/083654 WO2017004828A1 (en) | 2015-07-09 | 2015-07-09 | Method and device for upgrading cryptographic algorithm |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108141353A true CN108141353A (en) | 2018-06-08 |
| CN108141353B CN108141353B (en) | 2020-06-26 |
Family
ID=57684692
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201580029236.0A Active CN108141353B (en) | 2015-07-09 | 2015-07-09 | Method and equipment for upgrading cryptographic algorithm |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN108141353B (en) |
| WO (1) | WO2017004828A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111526016A (en) * | 2020-04-26 | 2020-08-11 | 南方电网科学研究院有限责任公司 | Parameter configuration method and device for cryptographic algorithm |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981291A (en) * | 2019-03-27 | 2019-07-05 | 国家电网有限公司 | A kind of mixing packet signature method |
| CN113806749B (en) * | 2021-09-23 | 2024-04-05 | 航天信息股份有限公司 | Upgrading method, device and storage medium |
| CN114245188B (en) * | 2021-12-29 | 2023-09-15 | 卡莱特云科技股份有限公司 | Automatic cascade method of playing box terminal and cascade playing method of LED display screen |
| CN114785688B (en) * | 2022-06-21 | 2022-09-06 | 深圳市华曦达科技股份有限公司 | Terminal equipment upgrading method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001127747A (en) * | 1999-10-25 | 2001-05-11 | Toshiba Corp | Information ciphering and deciphering device |
| CN1798133A (en) * | 2004-12-29 | 2006-07-05 | 海信集团有限公司 | Pipe communication method based on IGRS protocol |
| CN103067333A (en) * | 2011-10-18 | 2013-04-24 | 华为终端有限公司 | Method for verifying set top box access identity and authentication server |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8155306B2 (en) * | 2004-12-09 | 2012-04-10 | Intel Corporation | Method and apparatus for increasing the speed of cryptographic processing |
| CN101820622B (en) * | 2010-02-05 | 2016-02-10 | 中兴通讯股份有限公司 | The method and system of managing empty mapping keys in wireless communication system |
| CN102510378B (en) * | 2011-10-31 | 2015-03-18 | 福建天晴数码有限公司 | Method for logging in online game through mobile equipment |
| CN103067156B (en) * | 2012-12-28 | 2016-01-20 | 北京移数通电讯有限公司 | The URL encryption of mobile Internet user resources access, verification method and device |
-
2015
- 2015-07-09 WO PCT/CN2015/083654 patent/WO2017004828A1/en active Application Filing
- 2015-07-09 CN CN201580029236.0A patent/CN108141353B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001127747A (en) * | 1999-10-25 | 2001-05-11 | Toshiba Corp | Information ciphering and deciphering device |
| CN1798133A (en) * | 2004-12-29 | 2006-07-05 | 海信集团有限公司 | Pipe communication method based on IGRS protocol |
| CN103067333A (en) * | 2011-10-18 | 2013-04-24 | 华为终端有限公司 | Method for verifying set top box access identity and authentication server |
Non-Patent Citations (1)
| Title |
|---|
| 张小平,李东生: "一种分组密码强化安全方法的研究", 《电脑开发与应用》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111526016A (en) * | 2020-04-26 | 2020-08-11 | 南方电网科学研究院有限责任公司 | Parameter configuration method and device for cryptographic algorithm |
| CN111526016B (en) * | 2020-04-26 | 2022-12-23 | 南方电网科学研究院有限责任公司 | Parameter configuration method and device for cryptographic algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017004828A1 (en) | 2017-01-12 |
| CN108141353B (en) | 2020-06-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107294937B (en) | Data transmission method based on network communication, client and server | |
| CN107248994B (en) | Information sending method, processing method and device | |
| CN111371549B (en) | Message data transmission method, device and system | |
| CN106788989B (en) | Method and equipment for establishing secure encrypted channel | |
| CN108141353B (en) | Method and equipment for upgrading cryptographic algorithm | |
| CN107800675B (en) | Data transmission method, terminal and server | |
| EP2991268A1 (en) | Data processing method and apparatus | |
| CN113806772A (en) | Information encryption transmission method and device based on block chain | |
| JP2015518320A (en) | Network intrusion detection using decoy encryption key | |
| CN107635227B (en) | Group message encryption method and device | |
| CN111178884A (en) | Information processing method, device, equipment and readable storage medium | |
| CN113811874A (en) | Encrypted data verification method | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| CN106027251A (en) | Identity card reading terminal and cloud authentication platform data transmission method and system | |
| CN113726725A (en) | Data encryption and decryption method and device, electronic equipment and storage medium | |
| EP3442195A1 (en) | Method and device for parsing packet | |
| CN105791258A (en) | Data transmission method, terminal and open platform | |
| KR20160020866A (en) | Method and system for providing service encryption in closed type network | |
| CN113515766A (en) | File transmission method and device | |
| KR20160111244A (en) | Electronic apparatus and communication method thereof | |
| CN106878985B (en) | Unified skip method and device for terminal page and terminal | |
| CN106487761B (en) | Message transmission method and network equipment | |
| CN115001865B (en) | Communication processing method and system, client, communication server and supervision server | |
| CN108242997B (en) | Method and apparatus for secure communication | |
| CN115021919A (en) | SSL negotiation method, device, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210420 Address after: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040 Patentee after: Honor Device Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |