CN108259486A - End-to-end key exchange method based on certificate - Google Patents

End-to-end key exchange method based on certificate Download PDF

Info

Publication number
CN108259486A
CN108259486A CN201810022875.XA CN201810022875A CN108259486A CN 108259486 A CN108259486 A CN 108259486A CN 201810022875 A CN201810022875 A CN 201810022875A CN 108259486 A CN108259486 A CN 108259486A
Authority
CN
China
Prior art keywords
terminal
key
server
certificate
public key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810022875.XA
Other languages
Chinese (zh)
Other versions
CN108259486B (en
Inventor
王靖
姚明月
罗东平
庞潼川
杨成功
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Core Shield Net (beijing) Technology Development Co Ltd
Original Assignee
Core Shield Net (beijing) Technology Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Core Shield Net (beijing) Technology Development Co Ltd filed Critical Core Shield Net (beijing) Technology Development Co Ltd
Priority to CN201810022875.XA priority Critical patent/CN108259486B/en
Publication of CN108259486A publication Critical patent/CN108259486A/en
Application granted granted Critical
Publication of CN108259486B publication Critical patent/CN108259486B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/12Messaging; Mailboxes; Announcements
    • H04W4/14Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a kind of end-to-end key exchange method based on certificate, including:Step 1: terminal I obtains the public key of terminal II, detailed process is as follows:A1, terminal I will be committed to server-side after its public key encryption;By the encrypted public key decryptions of terminal I, and by the user certificate of digital certificate authentication center making terminal I, server-side stores the user certificate of terminal I for A2, server-side;A3, terminal I generate the request message for carrying out key with terminal II and exchanging;The user certificate of terminal I is handed down to terminal II by A4, server-side, and after terminal II agrees to that key exchanges request, the user certificate of terminal II is handed down to terminal I by server-side;A5, terminal I parse public key and the preservation of terminal II from the user certificate of terminal II.Similarly, terminal II obtains the public key of terminal I.This invention simplifies keys to exchange flow, prevents the man-in-the-middle attack and Replay Attack in registration process, improves the safety of public key.

Description

End-to-end key exchange method based on certificate
Technical field
The present invention relates to information technology field, specifically a kind of end-to-end key exchange method based on certificate.
Background technology
End-to-end equipment will realize coded communication, need to exchange encryption key in advance, and major part scheme is using spy at present The close equipment of fixed note carries out key importing in use site for equipment, and this scheme is of high cost, and inconvenient to use.Few portion The end-to-end device keys divided lack security protection means by network exchange, are easily attacked by man-in-the-middle attack and playback It hits.
Invention content
It is an object of the invention to solve at least the above, and provide the advantages of at least will be described later.
It is a still further object of the present invention to provide a kind of end-to-end key exchange methods based on certificate, and which simplify keys Exchange flow, improve the efficiency of key exchange, shorten stand-by period of both sides, prevent man-in-the-middle attack in registration process and Replay Attack, it is ensured that the safety of public key.
In order to realize these purposes and other advantages according to the present invention, a kind of end-to-end key based on certificate is provided Exchange method, including:
Step 1: terminal I obtains the public key of terminal II, detailed process is as follows:
A1, terminal I generate public private key pair, and to being committed to server-side after public key encryption in registration;
A2, server-side by the encrypted public key decryptions of terminal I and submit the public key after decryption to digital certificate authentication center, Digital certificate authentication center makes the user certificate of terminal I and is transmitted to server-side, the user certificate of server-side storage terminal I;
A3, terminal I generate with the request message that exchanges of terminal II progress keys, and with the private key of terminal I to request message Server-side is sent to after being digitally signed;
A4, server-side are with the public key of terminal I to the user certificate of terminal I is handed down to terminal after the success of digital signature sign test II, while to the solicited message that terminal II push keys exchange, terminal II agrees to after exchanging that server-side is by the user certificate of terminal II Book is handed down to terminal I;
A5, terminal I parse end with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal II Hold the public key of II and preservation.
Preferably, it further includes:
Step 2: terminal II obtains the public key of terminal I, detailed process is as follows:
B1, terminal II generate public private key pair, and to being committed to server-side after public key encryption in registration;
B2, server-side by the encrypted public key decryptions of terminal II and are submitted in the public key to digital certificate authentication after decryption The heart, digital certificate authentication center make the user certificate of terminal II and are transmitted to server-side, the user of server-side storage terminal II Certificate;
B3, terminal II generate with the request message that exchanges of terminal I progress keys, and with the private key of terminal II to request message Server-side is sent to after being digitally signed;
B4, server-side are with the public key of terminal II to the user certificate of terminal II is handed down to end after the success of digital signature sign test I is held, while to the solicited message that terminal I push keys exchange, terminal I agrees to after exchanging that server-side is by the user certificate of terminal I It is handed down to terminal II;
B5, terminal II parse end with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal I The public key of I and preservation are held, key is so far completed and exchanges.
Preferably, it further includes:
Step 3: information is exchanged by terminal I and terminal II, specially:
C1, the information inputted on terminal I are encrypted by the public key of terminal II preserved in terminal I is sent to terminal II, terminal II are decrypted the information received using the private key of oneself, and information is presented in plain text;
C2, the information inputted on terminal II are encrypted by the public key of terminal I preserved in terminal II is sent to end It holds I, terminal I that the information received is decrypted using the private key of oneself, information is presented in plain text, so far completes the exchange of information.
Preferably, before terminal I and terminal II exchanges information, when needing respectively to being registered on terminal I and terminal II Identity carries out login authentication, and identity when registering is phone number, specially:After registering phone number on terminal I, log in When, terminal I submits the phone number and the equipment id information of terminal I, the hand that server-side verification terminal I is submitted to server-side Machine number and equipment id information, if unanimously, allowing to log in, the login authentication principle on terminal II is consistent with terminal I.
Preferably, in step A1, terminal I calls RSA Algorithm interface from the extension encryption hardware for communicate connection Public private key pair is generated, private key is stored in the extension encryption hardware, and the detailed process of public key encryption is:Terminal I is prefabricated with basis Key, whens terminal I registration phone numbers, submit the equipment id information of phone number and terminal I to server-side, and server-side is to end I transmitting short message identifying codes are held, and the equipment id information of terminal I and phone number are bound, terminal I receives short message verification code Afterwards, foundation key is disperseed using short message verification code, obtains the first temporary key, it then will be eventually using the first temporary key The public key of end I is encrypted, and encrypted public key is submitted to server-side.
Preferably, in step A2, the detailed process of the encrypted public key decryptions of terminal I is by server-side:Server-side is pre- Be formed with foundation key, after server-side receives encrypted public key, using be handed down to the short message verification code of terminal I to foundation key into Row dispersion, obtains the second temporary key, the encrypted public key that terminal I is submitted is decrypted with the second temporary key.
Preferably, the extension encryption hardware is the SIM pasting cards for being built-in with safety chip.
The present invention includes at least following advantageous effect:
The object that key exchange is carried out in the present invention is the public key of terminal I and terminal II, using the public key after exchange to rear The information that continuous terminal I and terminal II is sent mutually is encrypted, in order to which the information after exchanging can the side's of being received private of oneself Key is decrypted, to see information in plain text.
The terminal I and terminal II, server-side, digital certificate authentication center of the present invention is network connection, by terminal I and end The user certificate of end II is stored in server-side, and terminal I and terminal II just issue respective user certificate when carrying out key exchange To other side, compared with traditional operation being encrypted using key charging machine scene, simplify key and exchange flow, improve The efficiency that key exchanges shortens the stand-by period of both sides.
The public key that user generates when being registered on terminal I and terminal II in the present invention is respectively by terminal I after encryption Server-side is sent to terminal II, foundation key is disperseed with short message verification code, the first temporary key is obtained, to public key It is encrypted, then is transmitted through the network to server-side, prevent man-in-the-middle attack and Replay Attack in registration process, it is ensured that is public The safety of key.
Part is illustrated to embody by further advantage, target and the feature of the present invention by following, and part will also be by this The research and practice of invention and be understood by the person skilled in the art.
Specific embodiment
With reference to embodiment, the present invention is described in further detail, to enable those skilled in the art with reference to specification Word can be implemented according to this.
It should be appreciated that such as " having ", "comprising" and " comprising " term used herein do not allot one or more The presence or addition of a other element or combinations.
A kind of end-to-end key exchange method based on certificate, what key herein referred to is public key, i.e. terminal I is obtained eventually The public key of II is held, terminal II synchronizes the public key for obtaining terminal I, is described in detail by taking terminal I as an example below, including:
Step 1: terminal I obtains the public key of terminal II, detailed process is as follows:
A1, user X generate public private key pair when being registered on terminal I, i.e., including public key and private key, public private key pair herein is not Manufacture synchronous with terminal I, only generates, and obtain in user X when the client on terminal I or APP or other application are registered The public private key pair obtained register account number used when being registered with user X is uniquely corresponding, and terminal I will be committed to service after the public key encryption End, server-side herein is the backstage high in the clouds synchronous with the client or APP or other application cloud;
A2, server-side by the encrypted public key decryptions of terminal I and submit the public key after decryption to digital certificate authentication center, Digital certificate authentication center herein is and server-side network connection, realization information are transmitted, digital certificate authentication center and service End is the high in the clouds of running background, and common service carries out the exchange of public key between terminal I and terminal II, in digital certificate authentication The heart makes the user certificate of terminal I and is transmitted to server-side, the user certificate of server-side storage terminal I;
A3, terminal I generate with the request message that exchanges of terminal II progress keys, and with the private key of terminal I to request message Server-side is sent to after being digitally signed;
A4, server-side are with the public key of terminal I to the user certificate of terminal I is handed down to terminal after the success of digital signature sign test II, while to the solicited message that terminal II push keys exchange, terminal II agrees to after exchanging that server-side is by the user certificate of terminal II Book is handed down to terminal I;Herein, the user certificate of terminal II has been saved in server-side, and the making of the user certificate of terminal II Principle of Process is as terminal I;
A5, terminal I parse end with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal II Hold the public key of II and preservation.The root certificate of digital certificate authentication center is unique herein, is only used for parsing and comes from terminal II User certificate, so as to obtain terminal II public keys.
The principle that terminal II obtains the public key of terminal I is consistent with the principle of the terminal I public keys for obtaining terminal II.
The object that key exchange is carried out in the present invention is the public key of terminal I and terminal II, using the public key after exchange to rear The information that continuous terminal I and terminal II is sent mutually is encrypted, in order to which the information after exchanging can the side's of being received private of oneself Key is decrypted, to see information in plain text.
The terminal I and terminal II, server-side, digital certificate authentication center of the present invention is network connection, by terminal I and end The user certificate of end II is stored in server-side, and terminal I and terminal II just issue respective user certificate when carrying out key exchange To other side, compared with traditional operation being encrypted using key charging machine scene, simplify key and exchange flow, improve The efficiency that key exchanges shortens the stand-by period of both sides.
The public key that user generates when being registered on terminal I and terminal II in the present invention is respectively by terminal I after encryption Server-side is sent to terminal II, public key is encrypted, then be transmitted through the network to server-side, in preventing in registration process Between people attack and Replay Attack, it is ensured that the safety of public key, after the public key of server-side is decrypted, by digital certificate authentication The heart carries out further certification to public key, that is, is fabricated to user certificate, then recognized by digital certificate prefabricated in terminal I and terminal II The root certificate at card center parses the public key of the other side in user certificate.The present invention send request key exchange information when, The public private key pair of terminal is needed to be signed and sign test, determines mutual public key, then the use made by digital certificate authentication center Family certificate carries out public key the confirmation of further identity, it is ensured that terminal I and the terminal II public keys to be exchanged are exactly its respective public affairs Key ensure that the safety of follow-up interaction.
In another technical solution, further include:
Step 2: terminal II obtains the public key of terminal I, detailed process is as follows:
B1, user Y generate public private key pair when terminal II is in registration, i.e., including public key and private key, public private key pair herein Manufacture not synchronous with terminal II, only generates in user Y when the client on terminal II or APP or other application are registered, And the public private key pair obtained it is used when being registered with user Y register account number it is uniquely corresponding, terminal II will be submitted after the public key encryption To server-side, server-side herein is the backstage high in the clouds synchronous with the client or APP or other application cloud;
B2, server-side by the encrypted public key decryptions of terminal II and are submitted in the public key to digital certificate authentication after decryption The heart, digital certificate authentication center herein are and server-side network connection, realization information transmission, digital certificate authentication center and clothes Business end is the high in the clouds of running background, and common service carries out the exchange of public key, digital certificate authentication between terminal I and terminal II Center makes the user certificate of terminal II and is transmitted to server-side, the user certificate of server-side storage terminal II;
B3, terminal II generate with the request message that exchanges of terminal I progress keys, and with the private key of terminal II to request message Server-side is sent to after being digitally signed;
B4, server-side are with the public key of terminal II to the user certificate of terminal II is handed down to end after the success of digital signature sign test I is held, while to the solicited message that terminal I push keys exchange, terminal I agrees to after exchanging that server-side is by the user certificate of terminal I It is handed down to terminal II;
B5, terminal II parse end with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal I The public key of I and preservation are held, key is so far completed and exchanges.The root certificate of digital certificate authentication center is unique herein, is only used for Parsing comes from the user certificate of terminal I, so as to obtain terminal I public keys.
Terminal II obtains the public key of terminal I, completes key and exchanges, the safety exchanged for follow-up provides basic guarantor Barrier.
In another technical solution, further include:
Step 3: information is exchanged by terminal I and terminal II, specially:
Transmission is encrypted by the public key of terminal II preserved in terminal I in the information that C1, user X are inputted on terminal I It gives terminal II, terminal II that the information received is decrypted using the private key of oneself, information is presented in plain text, so that user Y sees Information is in plain text;
Transmission is encrypted by the public key of terminal I preserved in terminal II in the information that C2, user Y are inputted on terminal II It gives terminal I, terminal I that the information received is decrypted using the private key of oneself, information is presented in plain text, so that user X sees letter Breath in plain text, so far completes the exchange of information, realizes the final purpose that key exchanges.
In another technical solution, before terminal I and terminal II exchange information, need respectively on terminal I and terminal II Identity during registration carries out login authentication, and identity when registering is phone number, and a user corresponds to a phone number, specifically For:After user X registers phone number on terminal I, during login, clients or APP or other application of the user X on terminal I Phone number when being registered before the input of interface, terminal I submit the device id of the phone number and terminal I to believe to server-side Breath, phone number and equipment id information that server-side verification terminal I is submitted, if unanimously, allowing to log in, on terminal II Authentication principle is as terminal I.After logining successfully, the process of subsequent key exchange could be carried out and realize that information is handed over The behavior changed.
In another technical solution, in step A1, for user X when being registered on terminal I, terminal I is from communicating connection It extends and RSA Algorithm interface generation public private key pair is called in encryption hardware, private key is stored in the extension encryption hardware, and terminal I will Server-side is committed to after the public key encryption, the detailed process of public key encryption is:Terminal I is prefabricated with foundation key, basic close herein Key be in advance it is prefabricated on terminal I, be encrypted for the public key to terminal I, user X on terminal I register phone number when, Terminal I submits the phone number and the equipment id information of terminal I to server-side, server-side to terminal I transmitting short message identifying codes, And bind the equipment id information of terminal I and the phone number, after terminal I receives short message verification code, utilize the short-message verification Code disperses foundation key, obtains the first temporary key, is then carried out the public key of terminal I using first temporary key Encryption, and encrypted public key is submitted into server-side.
The short message verification code that server-side is handed down to terminal I is random, and the short message verification code issued each time is different, That a period of time when the term of validity is only for for registering, foundation key is disperseed with short message verification code, first is obtained and faces When key pair public key be encrypted, the man-in-the-middle attack and Replay Attack in registration process can be prevented.
To the principle that the public key of terminal II is encrypted as terminal I, server-side stores terminal I and terminal II respectively Encrypted public key.
In another technical solution, in step A2, the detailed process of the encrypted public key decryptions of terminal I is by server-side: Server-side is prefabricated with foundation key, and for foundation key herein as aforementioned foundation key, server-side receives encrypted public affairs After key, foundation key is disperseed using the short message verification code for being handed down to terminal I, obtains the second temporary key, is faced with second When the encrypted public key submitted of key pair terminal I be decrypted.Second temporary key is substantially identical with the first temporary key, Only the first temporary key is generated by terminal I, and the second temporary key is generated by server-side.
To the principle that the public key of terminal II is decrypted as terminal I, server-side respectively by terminal I and terminal II plus Public key after close has carried out decryption oprerations, in order to subsequently make terminal I and the respective user certificates of terminal II.
In the present invention, foundation key prefabricated respectively is same foundation key in terminal I, terminal II and server-side.
In another technical solution, the extension encryption hardware is the SIM pasting cards for being built-in with safety chip.As long as terminal Installation in advance is built-in with the SIM pasting cards of safety chip respectively on I and terminal II, it is possible to be built-in with safe core by respective The SIM pasting cards of piece realize being exchanged with each other for respective public key based on respective user certificate, and then user is made to pass through terminal reality The exchange of existing information to the encryption of the information realization of exchange in whole process, improves the safety of information.
Although the embodiments of the present invention have been disclosed as above, but its be not restricted in specification and embodiment it is listed With it can be fully applied to various fields suitable for the present invention, for those skilled in the art, can be easily Realize other modification, therefore without departing from the general concept defined in the claims and the equivalent scope, it is of the invention and unlimited In specific details.

Claims (7)

1. a kind of end-to-end key exchange method based on certificate, which is characterized in that including:
Step 1: terminal I obtains the public key of terminal II, detailed process is as follows:
A1, terminal I generate public private key pair, and to being committed to server-side after public key encryption in registration;
A2, server-side by the encrypted public key decryptions of terminal I and submit the public key after decryption to digital certificate authentication center, number Certificate verification center makes the user certificate of terminal I and is transmitted to server-side, the user certificate of server-side storage terminal I;
A3, terminal I generate the request message for carrying out key with terminal II and exchanging, and request message is carried out with the private key of terminal I Server-side is sent to after digital signature;
A4, server-side with the public key of terminal I to the user certificate of terminal I is handed down to terminal II after the success of digital signature sign test, The solicited message exchanged simultaneously to terminal II push keys, terminal II agree to after exchanging that server-side is by the user certificate of terminal II It is handed down to terminal I;
A5, terminal I parse terminal II with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal II Public key and preservation.
2. the end-to-end key exchange method based on certificate as described in claim 1, which is characterized in that further include:
Step 2: terminal II obtains the public key of terminal I, detailed process is as follows:
B1, terminal II generate public private key pair, and to being committed to server-side after public key encryption in registration;
B2, server-side by the encrypted public key decryptions of terminal II and submit the public key after decryption to digital certificate authentication center, number Word certificate verification center makes the user certificate of terminal II and is transmitted to server-side, the user certificate of server-side storage terminal II;
B3, terminal II generate the request message for carrying out key with terminal I and exchanging, and request message is carried out with the private key of terminal II Server-side is sent to after digital signature;
B4, server-side with the public key of terminal II to the user certificate of terminal II is handed down to terminal I after the success of digital signature sign test, The solicited message exchanged simultaneously to terminal I push keys, terminal I agree to after exchanging that server-side issues the user certificate of terminal I Give terminal II;
B5, terminal II parse terminal I's with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal I Public key simultaneously preserves, and so far completes key and exchanges.
3. the end-to-end key exchange method based on certificate as described in claim 1, which is characterized in that further include:
Step 3: information is exchanged by terminal I and terminal II, specially:
C1, the information inputted on terminal I are encrypted by the public key of terminal II preserved in terminal I is sent to terminal II, Terminal II is decrypted the information received using the private key of oneself, and information is presented in plain text;
C2, the information inputted on terminal II are encrypted by the public key of terminal I preserved in terminal II is sent to terminal I, Terminal I is decrypted the information received using the private key of oneself, and information is presented in plain text, so far completes the exchange of information.
4. the end-to-end key exchange method based on certificate as claimed in claim 3, which is characterized in that terminal I and terminal II Before exchanging information, identity when needing respectively to being registered on terminal I and terminal II carries out login authentication, identity when registering as Phone number, specially:After registering phone number on terminal I, during login, terminal I to server-side submit the phone number with And the equipment id information of terminal I, phone number and equipment id information that server-side verification terminal I is submitted, if unanimously, permitting Perhaps it logs in, the login authentication principle on terminal II is consistent with terminal I.
5. the end-to-end key exchange method based on certificate as claimed in claim 4, which is characterized in that in step A1, terminal I RSA Algorithm interface generation public private key pair is called from the extension encryption hardware for communicate connection, private key is stored in the extension and adds In close hardware, the detailed process to public key encryption is:Terminal I is prefabricated with foundation key, to service during terminal I registration phone numbers The equipment id information of phone number and terminal I are submitted in end, and server-side is to terminal I transmitting short message identifying codes, and setting terminal I Standby id information is bound with phone number, and after terminal I receives short message verification code, foundation key is divided using short message verification code It dissipates, obtains the first temporary key, then the public key of terminal I is encrypted using the first temporary key, and by encrypted public affairs Key submits to server-side.
6. the end-to-end key exchange method based on certificate as claimed in claim 5, which is characterized in that in step A2, service The detailed process of the encrypted public key decryptions of terminal I is by end:Server-side is prefabricated with foundation key, and server-side receives encrypted After public key, foundation key is disperseed using the short message verification code for being handed down to terminal I, obtains the second temporary key, with second The encrypted public key that terminal I is submitted is decrypted in temporary key.
7. the end-to-end key exchange method based on certificate as claimed in claim 5, which is characterized in that the extension encryption is hard Part is the SIM pasting cards for being built-in with safety chip.
CN201810022875.XA 2018-01-10 2018-01-10 End-to-end key exchange method based on certificate Active CN108259486B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810022875.XA CN108259486B (en) 2018-01-10 2018-01-10 End-to-end key exchange method based on certificate

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810022875.XA CN108259486B (en) 2018-01-10 2018-01-10 End-to-end key exchange method based on certificate

Publications (2)

Publication Number Publication Date
CN108259486A true CN108259486A (en) 2018-07-06
CN108259486B CN108259486B (en) 2020-12-01

Family

ID=62726152

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810022875.XA Active CN108259486B (en) 2018-01-10 2018-01-10 End-to-end key exchange method based on certificate

Country Status (1)

Country Link
CN (1) CN108259486B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111064738A (en) * 2019-12-26 2020-04-24 山东方寸微电子科技有限公司 TLS (transport layer Security) secure communication method and system
CN112383399A (en) * 2020-11-06 2021-02-19 新大陆(福建)公共服务有限公司 Key processing method, system, device and medium for self-adaptive matching identity platform
CN112464270A (en) * 2020-12-30 2021-03-09 广汽本田汽车有限公司 Bidding file encryption and decryption method, equipment and storage medium
CN113242121A (en) * 2021-04-15 2021-08-10 哈尔滨工业大学 Safety communication method based on combined encryption

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442411A (en) * 2008-12-23 2009-05-27 中国科学院计算技术研究所 Identification authentication method between peer-to-peer user nodes in P2P network
CN101895847A (en) * 2010-08-02 2010-11-24 刘明晶 Short message service authenticated encryption system and method based on digital certificate
CN101986641A (en) * 2010-10-20 2011-03-16 杭州晟元芯片技术有限公司 Trusted computing platform chip applicable to mobile communication equipment and authentication method thereof
CN102111411A (en) * 2011-01-21 2011-06-29 南京信息工程大学 Method for switching encryption safety data among peer-to-peer user nodes in P2P network
US20110161662A1 (en) * 2009-12-30 2011-06-30 Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd System and method for updating digital certificate automatically
CN102497581A (en) * 2011-12-14 2012-06-13 广州杰赛科技股份有限公司 Digital-certificate-based video monitoring data transmission method and system
CN102710605A (en) * 2012-05-08 2012-10-03 重庆大学 Information security management and control method under cloud manufacturing environment
US20140052993A1 (en) * 2012-08-17 2014-02-20 Kabushiki Kaisha Toshiba Information operating device, information output device, and information processing method
US8738911B2 (en) * 2012-06-25 2014-05-27 At&T Intellectual Property I, L.P. Secure socket layer keystore and truststore generation
CN104243146A (en) * 2014-09-05 2014-12-24 宇龙计算机通信科技(深圳)有限公司 Encryption communication method and device and terminal
CN104283859A (en) * 2013-07-10 2015-01-14 上海信颐信息技术有限公司 Encryption and decryption method for advisement player documents
CN106790255A (en) * 2017-01-24 2017-05-31 北京元心科技有限公司 End to end security communication means and system
CN106972919A (en) * 2017-03-29 2017-07-21 北京奇虎科技有限公司 A kind of cryptographic key negotiation method and device

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442411A (en) * 2008-12-23 2009-05-27 中国科学院计算技术研究所 Identification authentication method between peer-to-peer user nodes in P2P network
US20110161662A1 (en) * 2009-12-30 2011-06-30 Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd System and method for updating digital certificate automatically
CN101895847A (en) * 2010-08-02 2010-11-24 刘明晶 Short message service authenticated encryption system and method based on digital certificate
CN101986641A (en) * 2010-10-20 2011-03-16 杭州晟元芯片技术有限公司 Trusted computing platform chip applicable to mobile communication equipment and authentication method thereof
CN102111411A (en) * 2011-01-21 2011-06-29 南京信息工程大学 Method for switching encryption safety data among peer-to-peer user nodes in P2P network
CN102497581A (en) * 2011-12-14 2012-06-13 广州杰赛科技股份有限公司 Digital-certificate-based video monitoring data transmission method and system
CN102710605A (en) * 2012-05-08 2012-10-03 重庆大学 Information security management and control method under cloud manufacturing environment
US8738911B2 (en) * 2012-06-25 2014-05-27 At&T Intellectual Property I, L.P. Secure socket layer keystore and truststore generation
US20140052993A1 (en) * 2012-08-17 2014-02-20 Kabushiki Kaisha Toshiba Information operating device, information output device, and information processing method
CN104283859A (en) * 2013-07-10 2015-01-14 上海信颐信息技术有限公司 Encryption and decryption method for advisement player documents
CN104243146A (en) * 2014-09-05 2014-12-24 宇龙计算机通信科技(深圳)有限公司 Encryption communication method and device and terminal
CN106790255A (en) * 2017-01-24 2017-05-31 北京元心科技有限公司 End to end security communication means and system
CN106972919A (en) * 2017-03-29 2017-07-21 北京奇虎科技有限公司 A kind of cryptographic key negotiation method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
宁静等: "移动存储介质端到端加密系统设计与实现", 《计算机工程与设计》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111064738A (en) * 2019-12-26 2020-04-24 山东方寸微电子科技有限公司 TLS (transport layer Security) secure communication method and system
CN111064738B (en) * 2019-12-26 2022-09-30 山东方寸微电子科技有限公司 TLS (transport layer Security) secure communication method and system
CN112383399A (en) * 2020-11-06 2021-02-19 新大陆(福建)公共服务有限公司 Key processing method, system, device and medium for self-adaptive matching identity platform
CN112383399B (en) * 2020-11-06 2024-01-26 新大陆(福建)公共服务有限公司 Key processing method, system, equipment and medium of self-adaptive matching identity platform
CN112464270A (en) * 2020-12-30 2021-03-09 广汽本田汽车有限公司 Bidding file encryption and decryption method, equipment and storage medium
CN113242121A (en) * 2021-04-15 2021-08-10 哈尔滨工业大学 Safety communication method based on combined encryption

Also Published As

Publication number Publication date
CN108259486B (en) 2020-12-01

Similar Documents

Publication Publication Date Title
CN106101068B (en) Terminal communicating method and system
CN111314056B (en) Heaven and earth integrated network anonymous access authentication method based on identity encryption system
CN101005359B (en) Method and device for realizing safety communication between terminal devices
CN100488280C (en) Authentifying method and relative information transfer method
CN100566460C (en) Utilize authentication and cryptographic key negotiation method between the mobile entity that short message realizes
CN109347635A (en) A kind of Internet of Things security certification system and authentication method based on national secret algorithm
CN108270571A (en) Internet of Things identity authorization system and its method based on block chain
CN109347809A (en) A kind of application virtualization safety communicating method towards under autonomous controllable environment
CN102685749B (en) Wireless safety authentication method orienting to mobile terminal
CN101902476A (en) Method for authenticating identity of mobile peer-to-peer user
CN108259486A (en) End-to-end key exchange method based on certificate
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
CN112543166B (en) Real name login method and device
CN103906052A (en) Mobile terminal authentication method, service access method and equipment
CN106230594B (en) A method of user authentication is carried out based on dynamic password
CN108400962B (en) Authentication and key agreement method under multi-server architecture
CN109063438A (en) A kind of data access method, device, local data secure access equipment and terminal
CN103338201A (en) Remote identity authentication method participated in by registration center under multi-sever environment
CN104202299A (en) System and method of identity authentication based on Bluetooth
CN105357186A (en) Secondary authentication method based on out-of-band authentication and enhanced OTP (One-time Password) mechanism
CN105577612A (en) Identity authentication method, third party server, merchant server, and user terminal
CN103037366A (en) Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique
CN106453431A (en) Method for realizing Internet intersystem authentication based on PKI
CN107360124A (en) Access authentication method and device, WAP and user terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 450000 Building 10 of Microcloud Computing Industry Park, 166 Duying Street, Zhengzhou High-tech Industrial Development Zone, Henan Province

Applicant after: Henan core shield net an Technology Development Co., Ltd.

Address before: 100193 Building 313-34, No. 4, 8th Hospital, Wangxi Road, Haidian District, Beijing

Applicant before: Core shield net (Beijing) Technology Development Co., Ltd.

GR01 Patent grant
GR01 Patent grant