CN108259486B - End-to-end key exchange method based on certificate - Google Patents
End-to-end key exchange method based on certificate Download PDFInfo
- Publication number
- CN108259486B CN108259486B CN201810022875.XA CN201810022875A CN108259486B CN 108259486 B CN108259486 B CN 108259486B CN 201810022875 A CN201810022875 A CN 201810022875A CN 108259486 B CN108259486 B CN 108259486B
- Authority
- CN
- China
- Prior art keywords
- terminal
- key
- server
- public key
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/12—Messaging; Mailboxes; Announcements
- H04W4/14—Short messaging services, e.g. short message services [SMS] or unstructured supplementary service data [USSD]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses an end-to-end key exchange method based on certificates, which comprises the following steps: step one, a terminal I acquires a public key of a terminal II, and the specific process is as follows: a1, the terminal I encrypts the public key and submits the encrypted public key to the server; a2, the server side decrypts the public key encrypted by the terminal I, and the digital certificate authentication center makes the user certificate of the terminal I, and the server side stores the user certificate of the terminal I; a3, terminal I generates a request message for exchanging key with terminal II; a4, the server side issues the user certificate of terminal I to terminal II, and after terminal II agrees to the key exchange request, the server side issues the user certificate of terminal II to terminal I; a5, terminal I analyzes the public key of terminal II from the user certificate of terminal II and stores. Similarly, terminal II obtains the public key of terminal I. The invention simplifies the key exchange process, prevents man-in-the-middle attack and replay attack in the registration process and improves the safety of the public key.
Description
Technical Field
The invention relates to the technical field of information, in particular to an end-to-end key exchange method based on certificates.
Background
End-to-end equipment needs to exchange encryption keys in advance to realize encrypted communication, most of the current schemes use specific encryption equipment, and key import is carried out on the equipment in the field, so that the scheme is high in cost and inconvenient to use. A small part of end-to-end equipment keys are exchanged through a network, but a security protection means is lacked, and man-in-the-middle attack and replay attack are extremely easy to attack.
Disclosure of Invention
An object of the present invention is to solve at least the above problems and to provide at least the advantages described later.
It is still another object of the present invention to provide a certificate-based end-to-end key exchange method, which simplifies the key exchange process, improves the key exchange efficiency, shortens the waiting time of both parties, prevents man-in-the-middle attacks and replay attacks during the registration process, and ensures the security of the public key.
To achieve these objects and other advantages in accordance with the purpose of the invention, there is provided a certificate-based end-to-end key exchange method, comprising:
step one, a terminal I acquires a public key of a terminal II, and the specific process is as follows:
a1, terminal I generates public and private key pair when registering, and submits to the server after encrypting the public key;
a2, the server decrypts the public key encrypted by the terminal I and submits the decrypted public key to a digital certificate authentication center, the digital certificate authentication center makes the user certificate of the terminal I and transmits the user certificate to the server, and the server stores the user certificate of the terminal I;
a3, generating a request message for key exchange with terminal II by terminal I, and sending the request message to a server after digitally signing the request message by using a private key of terminal I;
a4, after the server side successfully verifies the digital signature by the public key of the terminal I, the server side issues the user certificate of the terminal I to the terminal II, meanwhile, request information of key exchange is pushed to the terminal II, and after the terminal II agrees to the exchange, the server side issues the user certificate of the terminal II to the terminal I;
a5, terminal I uses the root certificate of the pre-made digital certificate certification center to analyze the public key of terminal II from the user certificate of terminal II and stores.
Preferably, the method further comprises the following steps:
step two, the terminal II obtains the public key of the terminal I, and the specific process is as follows:
b1, generating a public and private key pair when registering terminal II, encrypting the public key and submitting to the server;
b2, the server decrypts the public key encrypted by the terminal II and submits the decrypted public key to a digital certificate authentication center, the digital certificate authentication center makes a user certificate of the terminal II and transmits the user certificate to the server, and the server stores the user certificate of the terminal II;
b3, generating a request message for carrying out key exchange with the terminal I by the terminal II, carrying out digital signature on the request message by using a private key of the terminal II and then sending the request message to the server;
b4, the server issues the user certificate of the terminal II to the terminal I after the digital signature is successfully checked by the public key of the terminal II, meanwhile, the request information of key exchange is pushed to the terminal I, and the server issues the user certificate of the terminal I to the terminal II after the terminal I agrees to the exchange;
b5, terminal II analyzes the public key of terminal I from the user certificate of terminal I by using the root certificate of the pre-prepared digital certificate authentication center and stores the public key, thus finishing the key exchange.
Preferably, the method further comprises the following steps:
step three, exchanging information through the terminal I and the terminal II, which specifically comprises the following steps:
c1, the information input on the terminal I is encrypted and sent to the terminal II through the public key of the terminal II stored in the terminal I, and the terminal II decrypts the received information by using the private key thereof to present the information plaintext;
c2, the information input on the terminal II is encrypted and sent to the terminal I through the public key of the terminal I stored in the terminal II, the terminal I decrypts the received information by using the private key of the terminal I, and the information plaintext is presented, so that the information exchange is completed.
Preferably, before the terminal I and the terminal II exchange information, login authentication needs to be performed on identities registered at the terminal I and the terminal II, where the identity during registration is a mobile phone number, and specifically: after a mobile phone number is registered on a terminal I, when logging in, the terminal I submits the mobile phone number and equipment ID information of the terminal I to a server, the server verifies the mobile phone number and the equipment ID information submitted by the terminal I, if the mobile phone number and the equipment ID information are consistent, logging in is allowed, and a logging authentication principle on a terminal II is consistent with that of the terminal I.
Preferably, in step a1, the terminal I invokes an RSA algorithm interface from the extended encryption hardware communicatively connected thereto to generate a public-private key pair, where the private key is stored in the extended encryption hardware, and the specific process of public key encryption is as follows: the method comprises the steps that a basic secret key is prefabricated in a terminal I, the mobile phone number and equipment ID information of the terminal I are submitted to a server when the terminal I registers the mobile phone number, a short message verification code is issued to the terminal I by the server, the equipment ID information of the terminal I is bound with the mobile phone number, the basic secret key is dispersed by the short message verification code after the terminal I receives the short message verification code, a first temporary secret key is obtained, then a public key of the terminal I is encrypted by the first temporary secret key, and the encrypted public key is submitted to the server.
Preferably, in step a2, the specific process of the server decrypting the public key encrypted by the terminal I is as follows: the server side is pre-provided with a basic key, disperses the basic key by using a short message verification code issued to the terminal I after receiving the encrypted public key to obtain a second temporary key, and decrypts the encrypted public key submitted by the terminal I by using the second temporary key.
Preferably, the extended encryption hardware is a SIM film card with a built-in security chip.
The invention at least comprises the following beneficial effects:
the key exchange object in the invention is the public key of the terminal I and the terminal II, and the exchanged public key is used for encrypting the information mutually transmitted by the subsequent terminal I and the terminal II, so that the exchanged information can be decrypted by the private key of the receiver to see the information plaintext.
The terminal I and the terminal II, the server and the digital certificate authentication center are all in network connection, the user certificates of the terminal I and the terminal II are stored in the server, and the respective user certificates are issued to the opposite side when the terminal I and the terminal II perform key exchange.
In the invention, public keys generated when a user registers on the terminal I and the terminal II are encrypted and then are respectively sent to the server by the terminal I and the terminal II, the basic keys are dispersed by using the short message verification code to obtain the first temporary key, the public keys are encrypted and then are transmitted to the server through the network, thereby preventing man-in-the-middle attack and replay attack in the registration process and ensuring the safety of the public keys.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention.
Detailed Description
The present invention is further described in detail below with reference to examples so that those skilled in the art can practice the invention with reference to the description.
It will be understood that terms such as "having," "including," and "comprising," as used herein, do not preclude the presence or addition of one or more other elements or groups thereof.
An end-to-end key exchange method based on certificate, where the key refers to a public key, that is, a terminal I obtains a public key of a terminal II, and the terminal II obtains the public key of the terminal I synchronously, which is detailed below by taking the terminal I as an example, includes:
step one, a terminal I acquires a public key of a terminal II, and the specific process is as follows:
a1, generating a public and private key pair when a user X registers on a terminal I, namely including a public key and a private key, wherein the public and private key pair does not leave factory synchronously with the terminal I, only is generated when the user X registers on a client or an APP or other applications on the terminal I, the obtained public and private key pair uniquely corresponds to a registered account number used when the user X registers, the terminal I encrypts the public key and submits the encrypted public key to a server, and the server is a background cloud end synchronous with the client or the APP or other applications;
a2, the server decrypts the public key encrypted by the terminal I and submits the decrypted public key to a digital certificate authentication center, the digital certificate authentication center is connected with the server through a network to realize information transmission, the digital certificate authentication center and the server are both cloud terminals running in a background and serve for exchanging the public key between the terminal I and the terminal II together, the digital certificate authentication center makes the user certificate of the terminal I and transmits the user certificate to the server, and the server stores the user certificate of the terminal I;
a3, generating a request message for key exchange with terminal II by terminal I, and sending the request message to a server after digitally signing the request message by using a private key of terminal I;
a4, after the server side successfully verifies the digital signature by the public key of the terminal I, the server side issues the user certificate of the terminal I to the terminal II, meanwhile, request information of key exchange is pushed to the terminal II, and after the terminal II agrees to the exchange, the server side issues the user certificate of the terminal II to the terminal I; here, the user certificate of terminal II is already stored in the server, and the principle of the making process of the user certificate of terminal II is the same as that of terminal I;
a5, terminal I uses the root certificate of the pre-made digital certificate certification center to analyze the public key of terminal II from the user certificate of terminal II and stores. Here, the root certificate of the digital certificate authority is unique and is only used for parsing the user certificate from the terminal II, so as to obtain the public key of the terminal II.
The principle of the terminal II obtaining the public key of the terminal I is consistent with the principle of the terminal I obtaining the public key of the terminal II.
The key exchange object in the invention is the public key of the terminal I and the terminal II, and the exchanged public key is used for encrypting the information mutually transmitted by the subsequent terminal I and the terminal II, so that the exchanged information can be decrypted by the private key of the receiver to see the information plaintext.
The terminal I and the terminal II, the server and the digital certificate authentication center are all in network connection, the user certificates of the terminal I and the terminal II are stored in the server, and the respective user certificates are issued to the opposite side when the terminal I and the terminal II perform key exchange.
The public keys generated when the user registers on the terminal I and the terminal II are encrypted and then are respectively sent to the server by the terminal I and the terminal II, the public keys are encrypted and then are transmitted to the server through the network, man-in-the-middle attack and replay attack in the registration process are prevented, the safety of the public keys is ensured, after the public keys of the server are decrypted, the public keys are further authenticated by a digital certificate authentication center, namely, a user certificate is manufactured, and then the public keys of the other party in the user certificate are analyzed by a root certificate of the digital certificate authentication center prefabricated in the terminal I and the terminal II. When the information requesting key exchange is sent, the public and private key pairs of the terminal are required to be signed and signed, mutual public keys are determined, the public keys are further confirmed by the user certificate made by the digital certificate certification center, the public keys to be exchanged of the terminal I and the terminal II are the respective public keys, and the security of subsequent information interaction is ensured.
In another technical solution, the method further comprises:
step two, the terminal II obtains the public key of the terminal I, and the specific process is as follows:
b1, generating a public and private key pair by user Y when terminal II registers, namely including a public key and a private key, wherein the public and private key pair does not leave factory synchronously with terminal II, only generates when user Y registers on a client or APP or other applications on terminal II, and the obtained public and private key pair uniquely corresponds to a registration account number used when user Y registers, terminal II encrypts the public key and submits the public key to a server, and the server is a background cloud end synchronous with the client or APP or other applications;
b2, the server decrypts the public key encrypted by the terminal II and submits the decrypted public key to a digital certificate authentication center, the digital certificate authentication center is connected with the server through a network to realize information transmission, the digital certificate authentication center and the server are both cloud terminals running in a background and serve for exchanging the public key between the terminal I and the terminal II together, the digital certificate authentication center makes a user certificate of the terminal II and transmits the user certificate to the server, and the server stores the user certificate of the terminal II;
b3, generating a request message for carrying out key exchange with the terminal I by the terminal II, carrying out digital signature on the request message by using a private key of the terminal II and then sending the request message to the server;
b4, the server issues the user certificate of the terminal II to the terminal I after the digital signature is successfully checked by the public key of the terminal II, meanwhile, the request information of key exchange is pushed to the terminal I, and the server issues the user certificate of the terminal I to the terminal II after the terminal I agrees to the exchange;
b5, terminal II analyzes the public key of terminal I from the user certificate of terminal I by using the root certificate of the pre-prepared digital certificate authentication center and stores the public key, thus finishing the key exchange. Here, the root certificate of the digital certificate authority is unique and is only used for parsing the user certificate from the terminal I, so as to obtain the public key of the terminal I.
And the terminal II acquires the public key of the terminal I, completes the key exchange and provides basic guarantee for the safety of subsequent information exchange.
In another technical solution, the method further comprises:
step three, exchanging information through the terminal I and the terminal II, which specifically comprises the following steps:
c1, encrypting the information input by user X on terminal I by public key of terminal II stored in terminal I, and sending to terminal II, terminal II decrypting the received information by private key to present information plaintext, so that user Y can see the information plaintext;
c2, user Y encrypts the information input from terminal II and sends it to terminal I through the public key of terminal I stored in terminal II, terminal I decrypts the received information by using its own private key and presents the information plaintext, so that user X can see the information plaintext, thus completing the information exchange and achieving the final purpose of key exchange.
In another technical solution, before the terminal I and the terminal II exchange information, login authentication needs to be performed on identities registered at the terminal I and the terminal II, where the identity during registration is a mobile phone number, and one user corresponds to one mobile phone number, specifically: after a user X registers a mobile phone number on a terminal I, when logging in, the user X inputs the mobile phone number when registering before at a client side or an APP or other application interfaces on the terminal I, the terminal I submits the mobile phone number and equipment ID information of the terminal I to a server side, the server side verifies the mobile phone number and the equipment ID information submitted by the terminal I, if the mobile phone number and the equipment ID information are consistent, logging in is allowed, and the identity authentication principle on the terminal II is the same as that of the terminal I. After login is successful, the subsequent key exchange process and the information exchange implementation behavior can be performed.
In another technical solution, in step a1, when a user X registers on a terminal I, the terminal I invokes an RSA algorithm interface from an extended encryption hardware communicatively connected to the terminal I to generate a public and private key pair, the private key is stored in the extended encryption hardware, the terminal I encrypts the public key and submits the encrypted public key to a server, and the specific process of encrypting the public key is as follows: the method comprises the steps that a basic secret key is prefabricated on a terminal I in advance and used for encrypting a public key of the terminal I, when a user X registers a mobile phone number on the terminal I, the terminal I submits the mobile phone number and equipment ID information of the terminal I to a server, the server issues a short message verification code to the terminal I and binds the equipment ID information of the terminal I with the mobile phone number, the terminal I disperses the basic secret key by using the short message verification code after receiving the short message verification code to obtain a first temporary secret key, then the public key of the terminal I is encrypted by using the first temporary secret key, and the encrypted public key is submitted to the server.
The short message verification codes issued to the terminal I by the server are random, the short message verification codes issued each time are different, the valid period is only used for a period of time during registration, the short message verification codes are used for dispersing the basic key to obtain a first temporary key to encrypt the public key, and man-in-the-middle attack and replay attack in the registration process can be prevented.
The principle of encrypting the public key of the terminal II is the same as that of the terminal I, and the server side stores the encrypted public keys of the terminal I and the terminal II respectively.
In another technical solution, in step a2, the specific process of the server side decrypting the public key encrypted by the terminal I is as follows: the server side is pre-provided with a basic key, the basic key is the same as the basic key, after the server side receives the encrypted public key, the basic key is dispersed by using a short message verification code issued to the terminal I to obtain a second temporary key, and the encrypted public key submitted by the terminal I is decrypted by using the second temporary key. The second temporary key is substantially the same as the first temporary key, except that the first temporary key is generated by the terminal I and the second temporary key is generated by the server.
The principle of decrypting the public key of the terminal II is the same as that of the terminal I, and the server side respectively decrypts the encrypted public keys of the terminal I and the terminal II so as to facilitate the subsequent manufacture of respective user certificates of the terminal I and the terminal II.
In the invention, the basic keys respectively prefabricated on the terminal I, the terminal II and the server are the same basic key.
In another technical scheme, the expansion encryption hardware is a SIM film card with a built-in security chip. As long as the SIM film cards with the built-in security chips are respectively pre-installed on the terminal I and the terminal II, mutual exchange of respective public keys can be realized through the SIM film cards with the built-in security chips based on respective user certificates, and then a user can realize information exchange through the terminal, encryption processing is realized on the exchanged information in the whole process, and the information security is improved.
While embodiments of the invention have been disclosed above, it is not limited to the applications listed in the description and the embodiments, which are fully applicable in all kinds of fields of application of the invention, and further modifications may readily be effected by those skilled in the art, so that the invention is not limited to the specific details without departing from the general concept defined by the claims and the scope of equivalents.
Claims (6)
1. A method for certificate-based end-to-end key exchange, comprising:
step one, storing user certificates of a terminal I and a terminal II in a server;
step two, the terminal I acquires the public key of the terminal II, and the specific process is as follows:
a1, terminal I generates public and private key pair when registering, and submits to the server after encrypting the public key;
a2, the server decrypts the public key encrypted by the terminal I and submits the decrypted public key to a digital certificate authentication center, the digital certificate authentication center makes the user certificate of the terminal I and transmits the user certificate to the server, and the server stores the user certificate of the terminal I;
a3, generating a request message for key exchange with terminal II by terminal I, and sending the request message to a server after digitally signing the request message by using a private key of terminal I;
a4, after the server side successfully verifies the digital signature by the public key of the terminal I, the server side issues the user certificate of the terminal I to the terminal II, meanwhile, request information of key exchange is pushed to the terminal II, and after the terminal II agrees to the exchange, the server side issues the user certificate of the terminal II to the terminal I;
a5, terminal I uses the root certificate of the pre-made digital certificate certification center to analyze the public key of terminal II from the user certificate of terminal II and stores.
2. The certificate-based end-to-end key exchange method of claim 1, further comprising:
step three, exchanging information through the terminal I and the terminal II, which specifically comprises the following steps:
c1, the information input on the terminal I is encrypted and sent to the terminal II through the public key of the terminal II stored in the terminal I, and the terminal II decrypts the received information by using the private key thereof to present the information plaintext;
c2, the information input on the terminal II is encrypted and sent to the terminal I through the public key of the terminal I stored in the terminal II, the terminal I decrypts the received information by using the private key of the terminal I, and the information plaintext is presented, so that the information exchange is completed.
3. The certificate-based end-to-end key exchange method according to claim 2, wherein before the terminal I and the terminal II exchange information, login authentication needs to be performed on identities registered on the terminal I and the terminal II, respectively, where the identity during registration is a mobile phone number, specifically: after a mobile phone number is registered on a terminal I, when logging in, the terminal I submits the mobile phone number and equipment ID information of the terminal I to a server, the server verifies the mobile phone number and the equipment ID information submitted by the terminal I, if the mobile phone number and the equipment ID information are consistent, logging in is allowed, and a logging authentication principle on a terminal II is consistent with that of the terminal I.
4. The certificate-based end-to-end key exchange method according to claim 3, wherein in step a1, terminal I invokes an RSA algorithm interface from the extended encryption hardware communicatively connected thereto to generate a public-private key pair, and the private key is stored in the extended encryption hardware, and the specific process of encrypting the public key is as follows: the method comprises the steps that a basic secret key is prefabricated in a terminal I, the mobile phone number and equipment ID information of the terminal I are submitted to a server when the terminal I registers the mobile phone number, a short message verification code is issued to the terminal I by the server, the equipment ID information of the terminal I is bound with the mobile phone number, the basic secret key is dispersed by the short message verification code after the terminal I receives the short message verification code, a first temporary secret key is obtained, then a public key of the terminal I is encrypted by the first temporary secret key, and the encrypted public key is submitted to the server.
5. The certificate-based end-to-end key exchange method according to claim 4, wherein in step A2, the specific process for the server side to decrypt the public key encrypted by the terminal I is as follows: the server side is pre-provided with a basic key, disperses the basic key by using a short message verification code issued to the terminal I after receiving the encrypted public key to obtain a second temporary key, and decrypts the encrypted public key submitted by the terminal I by using the second temporary key.
6. The certificate-based end-to-end key exchange method of claim 5, wherein the extended encryption hardware is a SIM film card with a built-in security chip.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810022875.XA CN108259486B (en) | 2018-01-10 | 2018-01-10 | End-to-end key exchange method based on certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810022875.XA CN108259486B (en) | 2018-01-10 | 2018-01-10 | End-to-end key exchange method based on certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108259486A CN108259486A (en) | 2018-07-06 |
| CN108259486B true CN108259486B (en) | 2020-12-01 |
Family
ID=62726152
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810022875.XA Active CN108259486B (en) | 2018-01-10 | 2018-01-10 | End-to-end key exchange method based on certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108259486B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111064738B (en) * | 2019-12-26 | 2022-09-30 | 山东方寸微电子科技有限公司 | TLS (transport layer Security) secure communication method and system |
| CN112383399B (en) * | 2020-11-06 | 2024-01-26 | 新大陆(福建)公共服务有限公司 | Key processing method, system, equipment and medium of self-adaptive matching identity platform |
| CN112464270A (en) * | 2020-12-30 | 2021-03-09 | 广汽本田汽车有限公司 | Bidding file encryption and decryption method, equipment and storage medium |
| CN113242121B (en) * | 2021-04-15 | 2023-07-25 | 哈尔滨工业大学 | Safety communication method based on combined encryption |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895847A (en) * | 2010-08-02 | 2010-11-24 | 刘明晶 | Short message service authenticated encryption system and method based on digital certificate |
| CN101986641A (en) * | 2010-10-20 | 2011-03-16 | 杭州晟元芯片技术有限公司 | Trusted computing platform chip applicable to mobile communication equipment and authentication method thereof |
| CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
| US8738911B2 (en) * | 2012-06-25 | 2014-05-27 | At&T Intellectual Property I, L.P. | Secure socket layer keystore and truststore generation |
| CN106972919A (en) * | 2017-03-29 | 2017-07-21 | 北京奇虎科技有限公司 | A kind of cryptographic key negotiation method and device |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442411A (en) * | 2008-12-23 | 2009-05-27 | 中国科学院计算技术研究所 | Identification authentication method between peer-to-peer user nodes in P2P network |
| CN102118374A (en) * | 2009-12-30 | 2011-07-06 | 鸿富锦精密工业(深圳)有限公司 | System and method for automatically updating digital certificates |
| CN102111411A (en) * | 2011-01-21 | 2011-06-29 | 南京信息工程大学 | Method for switching encryption safety data among peer-to-peer user nodes in P2P network |
| CN102497581B (en) * | 2011-12-14 | 2014-06-25 | 广州杰赛科技股份有限公司 | Digital-certificate-based video monitoring data transmission method and system |
| JP5662391B2 (en) * | 2012-08-17 | 2015-01-28 | 株式会社東芝 | Information operating device, information output device, and information processing method |
| CN104283859A (en) * | 2013-07-10 | 2015-01-14 | 上海信颐信息技术有限公司 | Encryption and decryption method for advisement player documents |
| CN104243146A (en) * | 2014-09-05 | 2014-12-24 | 宇龙计算机通信科技(深圳)有限公司 | Encryption communication method and device and terminal |
| CN106790255A (en) * | 2017-01-24 | 2017-05-31 | 北京元心科技有限公司 | End to end security communication means and system |
-
2018
- 2018-01-10 CN CN201810022875.XA patent/CN108259486B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895847A (en) * | 2010-08-02 | 2010-11-24 | 刘明晶 | Short message service authenticated encryption system and method based on digital certificate |
| CN101986641A (en) * | 2010-10-20 | 2011-03-16 | 杭州晟元芯片技术有限公司 | Trusted computing platform chip applicable to mobile communication equipment and authentication method thereof |
| CN102710605A (en) * | 2012-05-08 | 2012-10-03 | 重庆大学 | Information security management and control method under cloud manufacturing environment |
| US8738911B2 (en) * | 2012-06-25 | 2014-05-27 | At&T Intellectual Property I, L.P. | Secure socket layer keystore and truststore generation |
| CN106972919A (en) * | 2017-03-29 | 2017-07-21 | 北京奇虎科技有限公司 | A kind of cryptographic key negotiation method and device |
Non-Patent Citations (1)
| Title |
|---|
| 移动存储介质端到端加密系统设计与实现;宁静等;《计算机工程与设计》;20130131;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108259486A (en) | 2018-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111083131B (en) | Lightweight identity authentication method for power Internet of things sensing terminal | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
| US7707412B2 (en) | Linked authentication protocols | |
| CN101052033B (en) | Certifying and key consulting method and its device based on TTP | |
| CN111835752A (en) | Lightweight authentication method based on equipment identity and gateway | |
| CN109347809A (en) | A kind of application virtualization safety communicating method towards under autonomous controllable environment | |
| CN110800248B (en) | Method for mutual symmetric authentication between a first application and a second application | |
| CN113612605B (en) | Method, system and equipment for enhancing MQTT protocol identity authentication by using symmetric cryptographic technology | |
| CN112039918B (en) | Internet of things credible authentication method based on identification cryptographic algorithm | |
| CN108259486B (en) | End-to-end key exchange method based on certificate | |
| CN111050322B (en) | GBA-based client registration and key sharing method, device and system | |
| CN102404347A (en) | Mobile internet access authentication method based on public key infrastructure | |
| CN104506534A (en) | Safety communication secret key negotiation interaction scheme | |
| CN110020524B (en) | Bidirectional authentication method based on smart card | |
| CN103491540A (en) | Wireless local area network two-way access authentication system and method based on identity certificates | |
| CN114765534B (en) | Private key distribution system and method based on national secret identification cryptographic algorithm | |
| CN110087240B (en) | Wireless network security data transmission method and system based on WPA2-PSK mode | |
| CN112543166B (en) | Real name login method and device | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| WO2014069985A1 (en) | System and method for identity-based entity authentication for client-server communications | |
| CN103905384A (en) | Embedded inter-terminal session handshake realization method based on security digital certificate | |
| CN110912686A (en) | Secure channel key negotiation method and system | |
| CN105049434A (en) | Identity authentication method and encryption communication method under peer-to-peer network environment | |
| CN111970699A (en) | Terminal WIFI login authentication method and system based on IPK |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 450000 Building 10 of Microcloud Computing Industry Park, 166 Duying Street, Zhengzhou High-tech Industrial Development Zone, Henan Province Applicant after: Henan core shield net an Technology Development Co., Ltd. Address before: 100193 Building 313-34, No. 4, 8th Hospital, Wangxi Road, Haidian District, Beijing Applicant before: Core shield net (Beijing) Technology Development Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |