CN108259486A - End-to-end key exchange method based on certificate - Google Patents
End-to-end key exchange method based on certificate Download PDFInfo
- Publication number
- CN108259486A CN108259486A CN201810022875.XA CN201810022875A CN108259486A CN 108259486 A CN108259486 A CN 108259486A CN 201810022875 A CN201810022875 A CN 201810022875A CN 108259486 A CN108259486 A CN 108259486A
- Authority
- CN
- China
- Prior art keywords
- terminal
- key
- server
- certificate
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/12—Messaging; Mailboxes; Announcements
- H04W4/14—Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a kind of end-to-end key exchange method based on certificate, including:Step 1: terminal I obtains the public key of terminal II, detailed process is as follows:A1, terminal I will be committed to server-side after its public key encryption;By the encrypted public key decryptions of terminal I, and by the user certificate of digital certificate authentication center making terminal I, server-side stores the user certificate of terminal I for A2, server-side;A3, terminal I generate the request message for carrying out key with terminal II and exchanging;The user certificate of terminal I is handed down to terminal II by A4, server-side, and after terminal II agrees to that key exchanges request, the user certificate of terminal II is handed down to terminal I by server-side;A5, terminal I parse public key and the preservation of terminal II from the user certificate of terminal II.Similarly, terminal II obtains the public key of terminal I.This invention simplifies keys to exchange flow, prevents the man-in-the-middle attack and Replay Attack in registration process, improves the safety of public key.
Description
Technical field
The present invention relates to information technology field, specifically a kind of end-to-end key exchange method based on certificate.
Background technology
End-to-end equipment will realize coded communication, need to exchange encryption key in advance, and major part scheme is using spy at present
The close equipment of fixed note carries out key importing in use site for equipment, and this scheme is of high cost, and inconvenient to use.Few portion
The end-to-end device keys divided lack security protection means by network exchange, are easily attacked by man-in-the-middle attack and playback
It hits.
Invention content
It is an object of the invention to solve at least the above, and provide the advantages of at least will be described later.
It is a still further object of the present invention to provide a kind of end-to-end key exchange methods based on certificate, and which simplify keys
Exchange flow, improve the efficiency of key exchange, shorten stand-by period of both sides, prevent man-in-the-middle attack in registration process and
Replay Attack, it is ensured that the safety of public key.
In order to realize these purposes and other advantages according to the present invention, a kind of end-to-end key based on certificate is provided
Exchange method, including:
Step 1: terminal I obtains the public key of terminal II, detailed process is as follows:
A1, terminal I generate public private key pair, and to being committed to server-side after public key encryption in registration;
A2, server-side by the encrypted public key decryptions of terminal I and submit the public key after decryption to digital certificate authentication center,
Digital certificate authentication center makes the user certificate of terminal I and is transmitted to server-side, the user certificate of server-side storage terminal I;
A3, terminal I generate with the request message that exchanges of terminal II progress keys, and with the private key of terminal I to request message
Server-side is sent to after being digitally signed;
A4, server-side are with the public key of terminal I to the user certificate of terminal I is handed down to terminal after the success of digital signature sign test
II, while to the solicited message that terminal II push keys exchange, terminal II agrees to after exchanging that server-side is by the user certificate of terminal II
Book is handed down to terminal I;
A5, terminal I parse end with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal II
Hold the public key of II and preservation.
Preferably, it further includes:
Step 2: terminal II obtains the public key of terminal I, detailed process is as follows:
B1, terminal II generate public private key pair, and to being committed to server-side after public key encryption in registration;
B2, server-side by the encrypted public key decryptions of terminal II and are submitted in the public key to digital certificate authentication after decryption
The heart, digital certificate authentication center make the user certificate of terminal II and are transmitted to server-side, the user of server-side storage terminal II
Certificate;
B3, terminal II generate with the request message that exchanges of terminal I progress keys, and with the private key of terminal II to request message
Server-side is sent to after being digitally signed;
B4, server-side are with the public key of terminal II to the user certificate of terminal II is handed down to end after the success of digital signature sign test
I is held, while to the solicited message that terminal I push keys exchange, terminal I agrees to after exchanging that server-side is by the user certificate of terminal I
It is handed down to terminal II;
B5, terminal II parse end with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal I
The public key of I and preservation are held, key is so far completed and exchanges.
Preferably, it further includes:
Step 3: information is exchanged by terminal I and terminal II, specially:
C1, the information inputted on terminal I are encrypted by the public key of terminal II preserved in terminal I is sent to terminal
II, terminal II are decrypted the information received using the private key of oneself, and information is presented in plain text;
C2, the information inputted on terminal II are encrypted by the public key of terminal I preserved in terminal II is sent to end
It holds I, terminal I that the information received is decrypted using the private key of oneself, information is presented in plain text, so far completes the exchange of information.
Preferably, before terminal I and terminal II exchanges information, when needing respectively to being registered on terminal I and terminal II
Identity carries out login authentication, and identity when registering is phone number, specially:After registering phone number on terminal I, log in
When, terminal I submits the phone number and the equipment id information of terminal I, the hand that server-side verification terminal I is submitted to server-side
Machine number and equipment id information, if unanimously, allowing to log in, the login authentication principle on terminal II is consistent with terminal I.
Preferably, in step A1, terminal I calls RSA Algorithm interface from the extension encryption hardware for communicate connection
Public private key pair is generated, private key is stored in the extension encryption hardware, and the detailed process of public key encryption is:Terminal I is prefabricated with basis
Key, whens terminal I registration phone numbers, submit the equipment id information of phone number and terminal I to server-side, and server-side is to end
I transmitting short message identifying codes are held, and the equipment id information of terminal I and phone number are bound, terminal I receives short message verification code
Afterwards, foundation key is disperseed using short message verification code, obtains the first temporary key, it then will be eventually using the first temporary key
The public key of end I is encrypted, and encrypted public key is submitted to server-side.
Preferably, in step A2, the detailed process of the encrypted public key decryptions of terminal I is by server-side:Server-side is pre-
Be formed with foundation key, after server-side receives encrypted public key, using be handed down to the short message verification code of terminal I to foundation key into
Row dispersion, obtains the second temporary key, the encrypted public key that terminal I is submitted is decrypted with the second temporary key.
Preferably, the extension encryption hardware is the SIM pasting cards for being built-in with safety chip.
The present invention includes at least following advantageous effect:
The object that key exchange is carried out in the present invention is the public key of terminal I and terminal II, using the public key after exchange to rear
The information that continuous terminal I and terminal II is sent mutually is encrypted, in order to which the information after exchanging can the side's of being received private of oneself
Key is decrypted, to see information in plain text.
The terminal I and terminal II, server-side, digital certificate authentication center of the present invention is network connection, by terminal I and end
The user certificate of end II is stored in server-side, and terminal I and terminal II just issue respective user certificate when carrying out key exchange
To other side, compared with traditional operation being encrypted using key charging machine scene, simplify key and exchange flow, improve
The efficiency that key exchanges shortens the stand-by period of both sides.
The public key that user generates when being registered on terminal I and terminal II in the present invention is respectively by terminal I after encryption
Server-side is sent to terminal II, foundation key is disperseed with short message verification code, the first temporary key is obtained, to public key
It is encrypted, then is transmitted through the network to server-side, prevent man-in-the-middle attack and Replay Attack in registration process, it is ensured that is public
The safety of key.
Part is illustrated to embody by further advantage, target and the feature of the present invention by following, and part will also be by this
The research and practice of invention and be understood by the person skilled in the art.
Specific embodiment
With reference to embodiment, the present invention is described in further detail, to enable those skilled in the art with reference to specification
Word can be implemented according to this.
It should be appreciated that such as " having ", "comprising" and " comprising " term used herein do not allot one or more
The presence or addition of a other element or combinations.
A kind of end-to-end key exchange method based on certificate, what key herein referred to is public key, i.e. terminal I is obtained eventually
The public key of II is held, terminal II synchronizes the public key for obtaining terminal I, is described in detail by taking terminal I as an example below, including:
Step 1: terminal I obtains the public key of terminal II, detailed process is as follows:
A1, user X generate public private key pair when being registered on terminal I, i.e., including public key and private key, public private key pair herein is not
Manufacture synchronous with terminal I, only generates, and obtain in user X when the client on terminal I or APP or other application are registered
The public private key pair obtained register account number used when being registered with user X is uniquely corresponding, and terminal I will be committed to service after the public key encryption
End, server-side herein is the backstage high in the clouds synchronous with the client or APP or other application cloud;
A2, server-side by the encrypted public key decryptions of terminal I and submit the public key after decryption to digital certificate authentication center,
Digital certificate authentication center herein is and server-side network connection, realization information are transmitted, digital certificate authentication center and service
End is the high in the clouds of running background, and common service carries out the exchange of public key between terminal I and terminal II, in digital certificate authentication
The heart makes the user certificate of terminal I and is transmitted to server-side, the user certificate of server-side storage terminal I;
A3, terminal I generate with the request message that exchanges of terminal II progress keys, and with the private key of terminal I to request message
Server-side is sent to after being digitally signed;
A4, server-side are with the public key of terminal I to the user certificate of terminal I is handed down to terminal after the success of digital signature sign test
II, while to the solicited message that terminal II push keys exchange, terminal II agrees to after exchanging that server-side is by the user certificate of terminal II
Book is handed down to terminal I;Herein, the user certificate of terminal II has been saved in server-side, and the making of the user certificate of terminal II
Principle of Process is as terminal I;
A5, terminal I parse end with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal II
Hold the public key of II and preservation.The root certificate of digital certificate authentication center is unique herein, is only used for parsing and comes from terminal II
User certificate, so as to obtain terminal II public keys.
The principle that terminal II obtains the public key of terminal I is consistent with the principle of the terminal I public keys for obtaining terminal II.
The object that key exchange is carried out in the present invention is the public key of terminal I and terminal II, using the public key after exchange to rear
The information that continuous terminal I and terminal II is sent mutually is encrypted, in order to which the information after exchanging can the side's of being received private of oneself
Key is decrypted, to see information in plain text.
The terminal I and terminal II, server-side, digital certificate authentication center of the present invention is network connection, by terminal I and end
The user certificate of end II is stored in server-side, and terminal I and terminal II just issue respective user certificate when carrying out key exchange
To other side, compared with traditional operation being encrypted using key charging machine scene, simplify key and exchange flow, improve
The efficiency that key exchanges shortens the stand-by period of both sides.
The public key that user generates when being registered on terminal I and terminal II in the present invention is respectively by terminal I after encryption
Server-side is sent to terminal II, public key is encrypted, then be transmitted through the network to server-side, in preventing in registration process
Between people attack and Replay Attack, it is ensured that the safety of public key, after the public key of server-side is decrypted, by digital certificate authentication
The heart carries out further certification to public key, that is, is fabricated to user certificate, then recognized by digital certificate prefabricated in terminal I and terminal II
The root certificate at card center parses the public key of the other side in user certificate.The present invention send request key exchange information when,
The public private key pair of terminal is needed to be signed and sign test, determines mutual public key, then the use made by digital certificate authentication center
Family certificate carries out public key the confirmation of further identity, it is ensured that terminal I and the terminal II public keys to be exchanged are exactly its respective public affairs
Key ensure that the safety of follow-up interaction.
In another technical solution, further include:
Step 2: terminal II obtains the public key of terminal I, detailed process is as follows:
B1, user Y generate public private key pair when terminal II is in registration, i.e., including public key and private key, public private key pair herein
Manufacture not synchronous with terminal II, only generates in user Y when the client on terminal II or APP or other application are registered,
And the public private key pair obtained it is used when being registered with user Y register account number it is uniquely corresponding, terminal II will be submitted after the public key encryption
To server-side, server-side herein is the backstage high in the clouds synchronous with the client or APP or other application cloud;
B2, server-side by the encrypted public key decryptions of terminal II and are submitted in the public key to digital certificate authentication after decryption
The heart, digital certificate authentication center herein are and server-side network connection, realization information transmission, digital certificate authentication center and clothes
Business end is the high in the clouds of running background, and common service carries out the exchange of public key, digital certificate authentication between terminal I and terminal II
Center makes the user certificate of terminal II and is transmitted to server-side, the user certificate of server-side storage terminal II;
B3, terminal II generate with the request message that exchanges of terminal I progress keys, and with the private key of terminal II to request message
Server-side is sent to after being digitally signed;
B4, server-side are with the public key of terminal II to the user certificate of terminal II is handed down to end after the success of digital signature sign test
I is held, while to the solicited message that terminal I push keys exchange, terminal I agrees to after exchanging that server-side is by the user certificate of terminal I
It is handed down to terminal II;
B5, terminal II parse end with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal I
The public key of I and preservation are held, key is so far completed and exchanges.The root certificate of digital certificate authentication center is unique herein, is only used for
Parsing comes from the user certificate of terminal I, so as to obtain terminal I public keys.
Terminal II obtains the public key of terminal I, completes key and exchanges, the safety exchanged for follow-up provides basic guarantor
Barrier.
In another technical solution, further include:
Step 3: information is exchanged by terminal I and terminal II, specially:
Transmission is encrypted by the public key of terminal II preserved in terminal I in the information that C1, user X are inputted on terminal I
It gives terminal II, terminal II that the information received is decrypted using the private key of oneself, information is presented in plain text, so that user Y sees
Information is in plain text;
Transmission is encrypted by the public key of terminal I preserved in terminal II in the information that C2, user Y are inputted on terminal II
It gives terminal I, terminal I that the information received is decrypted using the private key of oneself, information is presented in plain text, so that user X sees letter
Breath in plain text, so far completes the exchange of information, realizes the final purpose that key exchanges.
In another technical solution, before terminal I and terminal II exchange information, need respectively on terminal I and terminal II
Identity during registration carries out login authentication, and identity when registering is phone number, and a user corresponds to a phone number, specifically
For:After user X registers phone number on terminal I, during login, clients or APP or other application of the user X on terminal I
Phone number when being registered before the input of interface, terminal I submit the device id of the phone number and terminal I to believe to server-side
Breath, phone number and equipment id information that server-side verification terminal I is submitted, if unanimously, allowing to log in, on terminal II
Authentication principle is as terminal I.After logining successfully, the process of subsequent key exchange could be carried out and realize that information is handed over
The behavior changed.
In another technical solution, in step A1, for user X when being registered on terminal I, terminal I is from communicating connection
It extends and RSA Algorithm interface generation public private key pair is called in encryption hardware, private key is stored in the extension encryption hardware, and terminal I will
Server-side is committed to after the public key encryption, the detailed process of public key encryption is:Terminal I is prefabricated with foundation key, basic close herein
Key be in advance it is prefabricated on terminal I, be encrypted for the public key to terminal I, user X on terminal I register phone number when,
Terminal I submits the phone number and the equipment id information of terminal I to server-side, server-side to terminal I transmitting short message identifying codes,
And bind the equipment id information of terminal I and the phone number, after terminal I receives short message verification code, utilize the short-message verification
Code disperses foundation key, obtains the first temporary key, is then carried out the public key of terminal I using first temporary key
Encryption, and encrypted public key is submitted into server-side.
The short message verification code that server-side is handed down to terminal I is random, and the short message verification code issued each time is different,
That a period of time when the term of validity is only for for registering, foundation key is disperseed with short message verification code, first is obtained and faces
When key pair public key be encrypted, the man-in-the-middle attack and Replay Attack in registration process can be prevented.
To the principle that the public key of terminal II is encrypted as terminal I, server-side stores terminal I and terminal II respectively
Encrypted public key.
In another technical solution, in step A2, the detailed process of the encrypted public key decryptions of terminal I is by server-side:
Server-side is prefabricated with foundation key, and for foundation key herein as aforementioned foundation key, server-side receives encrypted public affairs
After key, foundation key is disperseed using the short message verification code for being handed down to terminal I, obtains the second temporary key, is faced with second
When the encrypted public key submitted of key pair terminal I be decrypted.Second temporary key is substantially identical with the first temporary key,
Only the first temporary key is generated by terminal I, and the second temporary key is generated by server-side.
To the principle that the public key of terminal II is decrypted as terminal I, server-side respectively by terminal I and terminal II plus
Public key after close has carried out decryption oprerations, in order to subsequently make terminal I and the respective user certificates of terminal II.
In the present invention, foundation key prefabricated respectively is same foundation key in terminal I, terminal II and server-side.
In another technical solution, the extension encryption hardware is the SIM pasting cards for being built-in with safety chip.As long as terminal
Installation in advance is built-in with the SIM pasting cards of safety chip respectively on I and terminal II, it is possible to be built-in with safe core by respective
The SIM pasting cards of piece realize being exchanged with each other for respective public key based on respective user certificate, and then user is made to pass through terminal reality
The exchange of existing information to the encryption of the information realization of exchange in whole process, improves the safety of information.
Although the embodiments of the present invention have been disclosed as above, but its be not restricted in specification and embodiment it is listed
With it can be fully applied to various fields suitable for the present invention, for those skilled in the art, can be easily
Realize other modification, therefore without departing from the general concept defined in the claims and the equivalent scope, it is of the invention and unlimited
In specific details.
Claims (7)
1. a kind of end-to-end key exchange method based on certificate, which is characterized in that including:
Step 1: terminal I obtains the public key of terminal II, detailed process is as follows:
A1, terminal I generate public private key pair, and to being committed to server-side after public key encryption in registration;
A2, server-side by the encrypted public key decryptions of terminal I and submit the public key after decryption to digital certificate authentication center, number
Certificate verification center makes the user certificate of terminal I and is transmitted to server-side, the user certificate of server-side storage terminal I;
A3, terminal I generate the request message for carrying out key with terminal II and exchanging, and request message is carried out with the private key of terminal I
Server-side is sent to after digital signature;
A4, server-side with the public key of terminal I to the user certificate of terminal I is handed down to terminal II after the success of digital signature sign test,
The solicited message exchanged simultaneously to terminal II push keys, terminal II agree to after exchanging that server-side is by the user certificate of terminal II
It is handed down to terminal I;
A5, terminal I parse terminal II with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal II
Public key and preservation.
2. the end-to-end key exchange method based on certificate as described in claim 1, which is characterized in that further include:
Step 2: terminal II obtains the public key of terminal I, detailed process is as follows:
B1, terminal II generate public private key pair, and to being committed to server-side after public key encryption in registration;
B2, server-side by the encrypted public key decryptions of terminal II and submit the public key after decryption to digital certificate authentication center, number
Word certificate verification center makes the user certificate of terminal II and is transmitted to server-side, the user certificate of server-side storage terminal II;
B3, terminal II generate the request message for carrying out key with terminal I and exchanging, and request message is carried out with the private key of terminal II
Server-side is sent to after digital signature;
B4, server-side with the public key of terminal II to the user certificate of terminal II is handed down to terminal I after the success of digital signature sign test,
The solicited message exchanged simultaneously to terminal I push keys, terminal I agree to after exchanging that server-side issues the user certificate of terminal I
Give terminal II;
B5, terminal II parse terminal I's with the root certificate of prefabricated digital certificate authentication center from the user certificate of terminal I
Public key simultaneously preserves, and so far completes key and exchanges.
3. the end-to-end key exchange method based on certificate as described in claim 1, which is characterized in that further include:
Step 3: information is exchanged by terminal I and terminal II, specially:
C1, the information inputted on terminal I are encrypted by the public key of terminal II preserved in terminal I is sent to terminal II,
Terminal II is decrypted the information received using the private key of oneself, and information is presented in plain text;
C2, the information inputted on terminal II are encrypted by the public key of terminal I preserved in terminal II is sent to terminal I,
Terminal I is decrypted the information received using the private key of oneself, and information is presented in plain text, so far completes the exchange of information.
4. the end-to-end key exchange method based on certificate as claimed in claim 3, which is characterized in that terminal I and terminal II
Before exchanging information, identity when needing respectively to being registered on terminal I and terminal II carries out login authentication, identity when registering as
Phone number, specially:After registering phone number on terminal I, during login, terminal I to server-side submit the phone number with
And the equipment id information of terminal I, phone number and equipment id information that server-side verification terminal I is submitted, if unanimously, permitting
Perhaps it logs in, the login authentication principle on terminal II is consistent with terminal I.
5. the end-to-end key exchange method based on certificate as claimed in claim 4, which is characterized in that in step A1, terminal I
RSA Algorithm interface generation public private key pair is called from the extension encryption hardware for communicate connection, private key is stored in the extension and adds
In close hardware, the detailed process to public key encryption is:Terminal I is prefabricated with foundation key, to service during terminal I registration phone numbers
The equipment id information of phone number and terminal I are submitted in end, and server-side is to terminal I transmitting short message identifying codes, and setting terminal I
Standby id information is bound with phone number, and after terminal I receives short message verification code, foundation key is divided using short message verification code
It dissipates, obtains the first temporary key, then the public key of terminal I is encrypted using the first temporary key, and by encrypted public affairs
Key submits to server-side.
6. the end-to-end key exchange method based on certificate as claimed in claim 5, which is characterized in that in step A2, service
The detailed process of the encrypted public key decryptions of terminal I is by end:Server-side is prefabricated with foundation key, and server-side receives encrypted
After public key, foundation key is disperseed using the short message verification code for being handed down to terminal I, obtains the second temporary key, with second
The encrypted public key that terminal I is submitted is decrypted in temporary key.
7. the end-to-end key exchange method based on certificate as claimed in claim 5, which is characterized in that the extension encryption is hard
Part is the SIM pasting cards for being built-in with safety chip.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810022875.XA CN108259486B (en) | 2018-01-10 | 2018-01-10 | End-to-end key exchange method based on certificate |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810022875.XA CN108259486B (en) | 2018-01-10 | 2018-01-10 | End-to-end key exchange method based on certificate |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108259486A true CN108259486A (en) | 2018-07-06 |
CN108259486B CN108259486B (en) | 2020-12-01 |
Family
ID=62726152
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810022875.XA Active CN108259486B (en) | 2018-01-10 | 2018-01-10 | End-to-end key exchange method based on certificate |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108259486B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111064738A (en) * | 2019-12-26 | 2020-04-24 | 山东方寸微电子科技有限公司 | TLS (transport layer Security) secure communication method and system |
CN112383399A (en) * | 2020-11-06 | 2021-02-19 | 新大陆(福建)公共服务有限公司 | Key processing method, system, device and medium for self-adaptive matching identity platform |
CN112464270A (en) * | 2020-12-30 | 2021-03-09 | 广汽本田汽车有限公司 | Bidding file encryption and decryption method, equipment and storage medium |
CN113242121A (en) * | 2021-04-15 | 2021-08-10 | 哈尔滨工业大学 | Safety communication method based on combined encryption |
Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442411A (en) * | 2008-12-23 | 2009-05-27 | 中国科学院计算技术研究所 | Identification authentication method between peer-to-peer user nodes in P2P network |
CN101895847A (en) * | 2010-08-02 | 2010-11-24 | 刘明晶 | Short message service authenticated encryption system and method based on digital certificate |
CN101986641A (en) * | 2010-10-20 | 2011-03-16 | 杭州晟元芯片技术有限公司 | Trusted computing platform chip applicable to mobile communication equipment and authentication method thereof |
CN102111411A (en) * | 2011-01-21 | 2011-06-29 | 南京信息工程大学 | Method for switching encryption safety data among peer-to-peer user nodes in P2P network |
US20110161662A1 (en) * | 2009-12-30 | 2011-06-30 | Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd | System and method for updating digital certificate automatically |
CN102497581A (en) * | 2011-12-14 | 2012-06-13 | 广州杰赛科技股份有限公司 | Digital-certificate-based video monitoring data transmission method and system |
CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
US20140052993A1 (en) * | 2012-08-17 | 2014-02-20 | Kabushiki Kaisha Toshiba | Information operating device, information output device, and information processing method |
US8738911B2 (en) * | 2012-06-25 | 2014-05-27 | At&T Intellectual Property I, L.P. | Secure socket layer keystore and truststore generation |
CN104243146A (en) * | 2014-09-05 | 2014-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Encryption communication method and device and terminal |
CN104283859A (en) * | 2013-07-10 | 2015-01-14 | 上海信颐信息技术有限公司 | Encryption and decryption method for advisement player documents |
CN106790255A (en) * | 2017-01-24 | 2017-05-31 | 北京元心科技有限公司 | End to end security communication means and system |
CN106972919A (en) * | 2017-03-29 | 2017-07-21 | 北京奇虎科技有限公司 | A kind of cryptographic key negotiation method and device |
-
2018
- 2018-01-10 CN CN201810022875.XA patent/CN108259486B/en active Active
Patent Citations (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101442411A (en) * | 2008-12-23 | 2009-05-27 | 中国科学院计算技术研究所 | Identification authentication method between peer-to-peer user nodes in P2P network |
US20110161662A1 (en) * | 2009-12-30 | 2011-06-30 | Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd | System and method for updating digital certificate automatically |
CN101895847A (en) * | 2010-08-02 | 2010-11-24 | 刘明晶 | Short message service authenticated encryption system and method based on digital certificate |
CN101986641A (en) * | 2010-10-20 | 2011-03-16 | 杭州晟元芯片技术有限公司 | Trusted computing platform chip applicable to mobile communication equipment and authentication method thereof |
CN102111411A (en) * | 2011-01-21 | 2011-06-29 | 南京信息工程大学 | Method for switching encryption safety data among peer-to-peer user nodes in P2P network |
CN102497581A (en) * | 2011-12-14 | 2012-06-13 | 广州杰赛科技股份有限公司 | Digital-certificate-based video monitoring data transmission method and system |
CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
US8738911B2 (en) * | 2012-06-25 | 2014-05-27 | At&T Intellectual Property I, L.P. | Secure socket layer keystore and truststore generation |
US20140052993A1 (en) * | 2012-08-17 | 2014-02-20 | Kabushiki Kaisha Toshiba | Information operating device, information output device, and information processing method |
CN104283859A (en) * | 2013-07-10 | 2015-01-14 | 上海信颐信息技术有限公司 | Encryption and decryption method for advisement player documents |
CN104243146A (en) * | 2014-09-05 | 2014-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Encryption communication method and device and terminal |
CN106790255A (en) * | 2017-01-24 | 2017-05-31 | 北京元心科技有限公司 | End to end security communication means and system |
CN106972919A (en) * | 2017-03-29 | 2017-07-21 | 北京奇虎科技有限公司 | A kind of cryptographic key negotiation method and device |
Non-Patent Citations (1)
Title |
---|
宁静等: "移动存储介质端到端加密系统设计与实现", 《计算机工程与设计》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111064738A (en) * | 2019-12-26 | 2020-04-24 | 山东方寸微电子科技有限公司 | TLS (transport layer Security) secure communication method and system |
CN111064738B (en) * | 2019-12-26 | 2022-09-30 | 山东方寸微电子科技有限公司 | TLS (transport layer Security) secure communication method and system |
CN112383399A (en) * | 2020-11-06 | 2021-02-19 | 新大陆(福建)公共服务有限公司 | Key processing method, system, device and medium for self-adaptive matching identity platform |
CN112383399B (en) * | 2020-11-06 | 2024-01-26 | 新大陆(福建)公共服务有限公司 | Key processing method, system, equipment and medium of self-adaptive matching identity platform |
CN112464270A (en) * | 2020-12-30 | 2021-03-09 | 广汽本田汽车有限公司 | Bidding file encryption and decryption method, equipment and storage medium |
CN113242121A (en) * | 2021-04-15 | 2021-08-10 | 哈尔滨工业大学 | Safety communication method based on combined encryption |
Also Published As
Publication number | Publication date |
---|---|
CN108259486B (en) | 2020-12-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106101068B (en) | Terminal communicating method and system | |
CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
CN101005359B (en) | Method and device for realizing safety communication between terminal devices | |
CN100488280C (en) | Authentifying method and relative information transfer method | |
CN100566460C (en) | Utilize authentication and cryptographic key negotiation method between the mobile entity that short message realizes | |
CN109347635A (en) | A kind of Internet of Things security certification system and authentication method based on national secret algorithm | |
CN108270571A (en) | Internet of Things identity authorization system and its method based on block chain | |
CN109347809A (en) | A kind of application virtualization safety communicating method towards under autonomous controllable environment | |
CN102685749B (en) | Wireless safety authentication method orienting to mobile terminal | |
CN101902476A (en) | Method for authenticating identity of mobile peer-to-peer user | |
CN108259486A (en) | End-to-end key exchange method based on certificate | |
TWI632798B (en) | Server, mobile terminal, and network real-name authentication system and method | |
CN102404347A (en) | Mobile internet access authentication method based on public key infrastructure | |
CN112543166B (en) | Real name login method and device | |
CN103906052A (en) | Mobile terminal authentication method, service access method and equipment | |
CN106230594B (en) | A method of user authentication is carried out based on dynamic password | |
CN108400962B (en) | Authentication and key agreement method under multi-server architecture | |
CN109063438A (en) | A kind of data access method, device, local data secure access equipment and terminal | |
CN103338201A (en) | Remote identity authentication method participated in by registration center under multi-sever environment | |
CN104202299A (en) | System and method of identity authentication based on Bluetooth | |
CN105357186A (en) | Secondary authentication method based on out-of-band authentication and enhanced OTP (One-time Password) mechanism | |
CN105577612A (en) | Identity authentication method, third party server, merchant server, and user terminal | |
CN103037366A (en) | Mobile terminal user authentication method and mobile terminal based on asymmetric cryptographic technique | |
CN106453431A (en) | Method for realizing Internet intersystem authentication based on PKI | |
CN107360124A (en) | Access authentication method and device, WAP and user terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 450000 Building 10 of Microcloud Computing Industry Park, 166 Duying Street, Zhengzhou High-tech Industrial Development Zone, Henan Province Applicant after: Henan core shield net an Technology Development Co., Ltd. Address before: 100193 Building 313-34, No. 4, 8th Hospital, Wangxi Road, Haidian District, Beijing Applicant before: Core shield net (Beijing) Technology Development Co., Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |