CN108449756A - A kind of system of network cryptographic key updating, method and device - Google Patents

A kind of system of network cryptographic key updating, method and device Download PDF

Info

Publication number
CN108449756A
CN108449756A CN201810693901.1A CN201810693901A CN108449756A CN 108449756 A CN108449756 A CN 108449756A CN 201810693901 A CN201810693901 A CN 201810693901A CN 108449756 A CN108449756 A CN 108449756A
Authority
CN
China
Prior art keywords
key
equipment
key updating
information
updating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810693901.1A
Other languages
Chinese (zh)
Other versions
CN108449756B (en
Inventor
崔宝江
刘芮青
杨俊�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201810693901.1A priority Critical patent/CN108449756B/en
Publication of CN108449756A publication Critical patent/CN108449756A/en
Application granted granted Critical
Publication of CN108449756B publication Critical patent/CN108449756B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Abstract

A kind of network cryptographic key updating system of the application offer, method and device, the system include the first equipment and the second equipment;The key updating solicited message of generation is sent to the second equipment by the first equipment;Second equipment receives the key updating response message sent after key updating solicited message;First network key is generated based on the response mark carried in things mark and key updating response message;Using first network key pair first key verification information encrypt after, by carrying the second equipment is sent in key updating successful information;Second equipment generates the second netkey after receiving key updating successful information, according to the things mark and response mark that are carried in key updating solicited message, and decrypts encrypted first key verification information using the second netkey.The system updates netkey by way of repeatedly shaking hands, and avoids causing information leakage using preset key for a long time, improves the safety of wireless network communication in internet of things equipment.

Description

A kind of system of network cryptographic key updating, method and device
Technical field
This application involves data security arts, in particular to a kind of system of network cryptographic key updating, method and dress It sets.
Background technology
With the continuous development of technology of Internet of things, the application of Internet of Things is more and more extensive, and scale is also more and more huger.Internet of Things Net equipment generally uses the wireless network communication protocols such as ZigBee protocol (ZigBee) to be communicated.
It is main in existing wireless network communication agreement in order to improve safety and the high efficiency of communication in Internet of Things The data of transmission are encrypted using predefined keys, although ensure that peace of the data in interactive process to a certain extent Quan Xing, but predefined key usage time is long, the probability being stolen is very high, and predefined keys are once stolen, information It will be leaked, cause multi-party benefit damage.
Therefore, the safety difference of Internet of Things wireless network communication becomes current urgent problem to be solved.
Invention content
In view of this, the application's is designed to provide a kind of system of network cryptographic key updating, method and device, Neng Gou The security update that key is realized when needs, improves the safety of wireless network communication in internet of things equipment.
In a first aspect, the embodiment of the present application provides a kind of network cryptographic key updating system, which is characterized in that including:It carries out The first equipment and the second equipment of data communication;
First equipment and second equipment preserve the go-between key consulted in advance;
First equipment is sent to for generating key updating solicited message, and by the key updating solicited message Second equipment carries in the key updating solicited message:Using security key as encryption key, and use predetermined encryption algorithm Encrypted things mark;When what reception second equipment was sent carries out the key of response more to the key updating solicited message After new response message, based on the security key, the go-between key, things mark, the key updating response The response mark carried in information, generates first network key, and the network used originally using the first network key pair Key is updated;And using the response carried in key updating response message described in the first network key pair identify into Row cryptographic calculation, generate first network cipher key encryption information, and by the first network cipher key encryption information carry key more It is sent to second equipment in new successful information;It is anti-according to the first network cipher key encryption information to receive second equipment The key updating ending message of feedback, and key updating ending message described in the first network key pair using generation is tested Card, if being verified, completes network cryptographic key updating process;
Second equipment generates key updating response message, and will after receiving the key updating solicited message The key updating response message is sent to first equipment;It is carried in the key updating response message:With the peace Full key is encryption key, and is identified using the response that the predetermined encryption algorithm is encrypted;It is set when receiving described first After being updated successfully information for what is fed back according to the key updating response message, carried based on the key updating solicited message Things mark, the security key, the netkey, response mark, generate the second netkey, use described second Netkey is updated the netkey used originally, and is based on second netkey, to being updated successfully letter The first network cipher key encryption information carried in breath is verified;After being verified, generated based on second netkey close Key updates ending message, and sends the key updating ending message to first equipment;
Wherein, the first network key is identical with second netkey.
With reference to first aspect, the embodiment of the present application provides the first possible embodiment of first aspect, wherein
First equipment is specifically used for being based on the security key, the go-between key, institute by following step The response mark carried in things mark, the key updating response message is stated, first network key is generated:
The go-between key preserved using the first equipment carries out XOR operation with the security key, obtains the first encryption Information;
By the things identify and the key updating response message in entrained response identify splicing, form first Character string;
Using predetermined encryption algorithm, using first encryption information as encryption key, first character string is added It is close, generate the first network key;
Second equipment, specifically for being identified based on the things that the key updating solicited message carries by following step, The security key, the go-between key, response mark, generate the second netkey:
The go-between key preserved using the second equipment carries out XOR operation with the security key, obtains second Encryption information;
By the response identify and the key updating solicited message in entrained Transaction Identifier splicing, form second Character string;
Using the predetermined encryption algorithm, using second encryption information as encryption key, to second character string into Row encryption, generates second netkey.
With reference to first aspect, the embodiment of the present application provides second of possible embodiment, wherein the key updating Encrypted second timestamp of key safe to use is also carried in response message;
First equipment is specifically used for answering using key updating described in the first network key pair by following step It answers the response mark carried in information and operation is encrypted, generate first network cipher key encryption information:
Exclusive or fortune is carried out using response mark entrained in second timestamp and the key updating response message It calculates, generates first key verification information;
Using first key verification information encryption is carried out described in the first network key pair, the first net of the generation is generated Network cipher key encryption information;
Second equipment encrypts letter especially by following step to being updated successfully the first network key carried in information Breath is verified:
First network key entrained in the key updating successful information is encrypted using second netkey Information is decrypted, and obtains the first key verification information;And
XOR operation is carried out with second timestamp that second equipment preserves obtain the using response mark Two key authentication information;
Whether the first key verification information and the second key authentication information that detection decryption obtains are consistent;
If the two is consistent, it is verified.
With reference to first aspect, the embodiment of the present application provides the third possible embodiment, wherein the key updating Solicited message also carries the encrypted first time stamp of key safe to use;
Second equipment is terminated specifically for passing through following step based on second netkey generation key updating Information:
XOR operation is carried out using things mark, first time stamp, generates third key authentication information;
The third key authentication information is encrypted using second netkey, the second netkey is generated and adds Confidential information;
Generate the key updating ending message;Second netkey is carried in the key updating ending message Encryption information;
First equipment is specifically used for being based on key updating knot described in the first network key pair by following step Beam information is verified:
The second net that key updating ending message carries described in the first network key pair generated using first equipment Network cipher key encryption information is decrypted, and obtains the third key authentication information;
And
The first time stamp preserved using the things mark, first equipment that generate at random carries out XOR operation, obtains 4th key authentication information;
The obtained third key authentication information is compared with the 4th key authentication information;
If the two is consistent, it is verified.
With reference to first aspect, the embodiment of the present application provides the 4th kind of possible embodiment, wherein the key updating Solicited message also carries the encrypted first time stamp of key safe to use;
Second equipment is additionally operable to after receiving the key updating solicited message, and generates the key more Before new response message, the encrypted first time stamp is decrypted using the security key, obtains the first time Stamp, and whether the time difference between the first time stamp and current time is detected less than poor threshold value of preset first time; The time difference between the first time stamp and current time is detected less than after poor threshold value of preset first time, is generated described close Key updates response message;
The second timestamp using the secure key encryption is also carried in the key updating response message;
First equipment is additionally operable to after receiving the key updating response message, and generate key updating at Before work(information, encrypted second timestamp is decrypted, obtains second timestamp, and detect second timestamp Whether the time difference between current time is less than preset second time difference threshold value;It is detecting second timestamp and is working as After time difference between the preceding time is less than preset second time difference threshold value, key updating successful information is generated;
The third timestamp using the secure key encryption is also carried in the key updating successful information;
Second equipment is additionally operable to after receiving the key updating successful information, and generates the key more Before new ending message, encrypted third timestamp is decrypted using the security key, obtains the third timestamp, And detect whether the time difference between the third timestamp and current time is less than preset third time difference threshold value;It is detecting After time difference between the third timestamp and current time is less than preset third time difference threshold value, the key is generated more New ending message;
Encrypted 4th timestamp of key safe to use is also carried in the key updating ending message;
First equipment, is additionally operable to after receiving key updating ending message, and is using described first generated Before netkey verifies the key updating ending message, using the security key to encrypted 4th timestamp It is decrypted, obtains the 4th timestamp, and whether the time difference detected between the 4th timestamp and current time is small In preset 4th time difference threshold value;It is less than preset the detecting the time difference between the 4th timestamp and current time After four time difference threshold values, the key updating ending message is verified.
With reference to first aspect, the embodiment of the present application provides the 5th kind of possible embodiment, wherein the key updating The first authentication information is also carried in solicited message;
The identity information of first equipment is generated in advance in first equipment;First authentication information is described First equipment carries out 1 Hash operation to the identity information and obtains;
Second equipment pre-saves the identity information of first equipment;
Second equipment is additionally operable to before generating key updating response message, is set to described first pre-saved Standby identity information carries out 1 Hash operation, and detect the identity information of the first equipment for having carried out 1 Hash operation with it is described Whether the first authentication information carried in key updating solicited message is consistent;1 Hash operation has been carried out detecting After the identity information of first equipment is consistent with the first authentication information carried in the key updating solicited message of acquisition, Generate the key updating response message;
And
The second authentication information of second equipment is also carried in the key updating response message;
The identity information of second equipment is generated in advance in second equipment;Second authentication information is described The identity information of second equipment carries out 1 Hash operation and obtains;
First equipment pre-saves the identity information of second equipment;
First equipment is additionally operable to before generating key updating successful information, is set to described second pre-saved Standby identity information carries out 1 Hash operation, and detect the identity information of the second equipment for having carried out 1 Hash operation with it is described Whether the second authentication information carried in key updating response message is consistent;1 Hash operation has been carried out detecting After the identity information of second equipment is consistent with the second authentication information carried in the key updating solicited message of acquisition, Generate the key updating successful information.
Second aspect, the embodiment of the present application also provides a kind of network cryptographic key updating methods, which is characterized in that for executing First equipment of network cryptographic key updating, this method include:
Key updating solicited message is generated, and the key updating solicited message is sent to the second equipment, the key It is carried in update solicited message:Using security key as encryption key, and identified using the encrypted things of predetermined encryption algorithm;Institute It states key updating solicited message and is used to indicate the second equipment generation key updating response message;
Receive the key updating response message that second equipment is sent;It is carried in the key updating response message It is encryption key to state security key, and is identified using the response that the predetermined encryption algorithm is encrypted;
The go-between consulted in advance preserved with second equipment based on the security key, first equipment The response mark that key, things mark, the key updating response message carry, generates first network key;
Using the first network key, fortune is encrypted to the response mark carried in the key updating response message It calculates, generates first network cipher key encryption information, and the first network cipher key encryption information is carried and is successfully believed in key updating Second equipment is sent in breath;
Receive the key updating that second equipment is sent after being verified to the first network cipher key encryption information Ending message, and verified using the first network key pair key updating ending message, if being verified, complete net Network key updating process.
The third aspect, the embodiment of the present application also provides a kind of network cryptographic key updating methods, which is characterized in that for executing Second equipment of network cryptographic key updating, this method include:
After receiving the key updating solicited message, key updating response message is generated, and by the key updating response Information is sent to first equipment;It is carried in the key updating response message:Using security key as encryption key, and make With predetermined encryption algorithm, the response mark being encrypted;
Things mark, the security key, first equipment and the institute carried based on the key updating solicited message The go-between key consulted in advance, the response mark for stating the preservation of the second equipment, generate the second netkey;
Using second netkey, the first network key carried in the key updating successful information that receives is added Operation is decrypted in confidential information, obtains the first network cipher key encryption information;
The first network cipher key encryption information is verified, after being verified, key is generated based on second netkey Ending message is updated, and the key updating ending message is sent to first equipment.
Fourth aspect, the embodiment of the present application also provides a kind of network cryptographic key updating devices, which is characterized in that for by the The network cryptographic key updating system that one equipment and the second equipment are constituted;The first interactive module is installed in first equipment;It is described Second interactive module is installed in the second equipment;
First interactive module, is used for:Key updating solicited message is generated, and the key updating solicited message is sent out The second interactive module is given, is carried in the key updating solicited message:Using security key as encryption key, and using default The encrypted things mark of Encryption Algorithm;The key updating solicited message is used to indicate second interactive module and generates key more New response message;Receive the key updating response message that second interactive module is sent;In the key updating response message It is encryption key to carry the security key, and is identified using the response that the predetermined encryption algorithm is encrypted;Based on institute State security key, the go-between key consulted in advance that first interactive module and second interactive module preserve, The response mark that the things mark, the key updating response message carry, generates first network key;Using described First network key is encrypted operation to the response mark carried in the key updating response message, generates first network Cipher key encryption information, and the first network cipher key encryption information carried and is sent in key updating successful information described the Two interactive modules;Receive second interactive module sent after being verified to the first network cipher key encryption information it is close Key updates ending message, and is verified using the first network key pair key updating ending message, if being verified, Complete network cryptographic key updating process.
5th aspect, the embodiment of the present application also provides a kind of network cryptographic key updating devices, which is characterized in that for by the The network cryptographic key updating system that one interactive module and the second interactive module are constituted;First interaction mould is installed in first equipment Block;The second interactive module is installed in second equipment;
Second interactive module, is used for:After receiving the key updating solicited message, key updating response letter is generated Breath, and the key updating response message is sent to first interactive module;It is carried in the key updating response message Have:Using security key as encryption key, and predetermined encryption algorithm is used, the response mark being encrypted;More based on the key Things mark, the security key, first interactive module and second interactive module preservation that new solicited message carries The go-between key consulted in advance, the response mark, generate the second netkey;It is close using second network Key is decrypted operation to the first network cipher key encryption information carried in the key updating successful information that receives, obtains institute State first network cipher key encryption information;The first network cipher key encryption information is verified, after being verified, is based on second net Network key production key updates ending message, and sends the key updating ending message to first equipment.
System, the method and device of network cryptographic key updating provided by the embodiments of the present application, using hash chain mechanism into line number According to transmission and identity information certification, with long-time in the prior art use the encrypted transmission side data of predefined keys Formula is compared, and can realize the update of netkey, improves the safety of wireless network communication in internet of things equipment.
To enable the above objects, features, and advantages of the application to be clearer and more comprehensible, preferred embodiment cited below particularly, and coordinate Appended attached drawing, is described in detail below.
Description of the drawings
It, below will be to needed in the embodiment attached in order to illustrate more clearly of the technical solution of the embodiment of the present application Figure is briefly described, it should be understood that the following drawings illustrates only some embodiments of the application, therefore is not construed as pair The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this A little attached drawings obtain other relevant attached drawings.
Fig. 1 shows a kind of structural schematic diagram for network cryptographic key updating system that the embodiment of the present application is provided;
Fig. 2 shows a kind of flow charts for generation first network encryption key method that the embodiment of the present application is provided;
Fig. 3 shows a kind of flow for generation first network cipher key encryption information method that the embodiment of the present application is provided Figure;
Fig. 4 shows a kind of flow chart for generation the second netkey method that the embodiment of the present application is provided;
Fig. 5 shows a kind of stream for method verified to first key verification information that the embodiment of the present application is provided Cheng Tu;
Fig. 6 shows a kind of flow chart for generation key updating successful information that the embodiment of the present application is provided;
Fig. 7 shows a kind of flow chart for verification third key authentication information approach that the embodiment of the present application is provided;
Fig. 8 shows a kind of flow chart for network cryptographic key updating method that the embodiment of the present application is provided;
Fig. 9 shows the flow chart for another network cryptographic key updating method that the embodiment of the present application is provided;
Figure 10 shows a kind of structural schematic diagram for computer equipment that the embodiment of the present application is provided;
Specific implementation mode
To keep the purpose, technical scheme and advantage of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application Middle attached drawing, technical solutions in the embodiments of the present application are clearly and completely described, it is clear that described embodiment is only It is some embodiments of the present application, instead of all the embodiments.The application being usually described and illustrated herein in the accompanying drawings is real Applying the component of example can be arranged and designed with a variety of different configurations.Therefore, below to the application's for providing in the accompanying drawings The detailed description of embodiment is not intended to limit claimed scope of the present application, but is merely representative of the selected reality of the application Apply example.Based on embodiments herein, institute that those skilled in the art are obtained without making creative work There is other embodiment, shall fall in the protection scope of this application.
Predefined keys are used for a long time when the wireless network communication of current internet of things equipment, be easy to cause letting out for information Dew is based on this, and the embodiment of the present application provides a kind of network cryptographic key updating system, method and device, by netkey into Row security update improves the safety of Internet of Things wireless network communication.
In order to make the above objects, features, and advantages of the present application more apparent, below in conjunction with the accompanying drawings and it is specific real Mode is applied to be further described in detail the application.In the embodiment of the present application, which is used not only in Internet of Things, It can also be used in other Wireless Communication Equipment.The system is illustrated below.
It is shown in Figure 1, a kind of network cryptographic key updating system, which is characterized in that including:First into row data communication sets Standby and the second equipment;
First equipment and second equipment preserve the go-between key K consulted in advanceNWK
First equipment is sent for generating key updating solicited message α, and by the key updating solicited message α To the second equipment, carried in the key updating solicited message α:Using security key ks as encryption key, and added using default The things of close algorithm for encryption identifies NTrID;When what reception second equipment was sent carries out the key updating solicited message α After the key updating response message β of response, it is based on the security key ks, the go-between key KNWK, things mark The response mark NRsID carried in NTrID, the key updating response message β, generates first network key NKNWK1, and use The first network key NKNWK1Originally the netkey used is updated;And use the first network key NKNWK1Operation is encrypted to the response mark NRsID carried in the key updating response message β, it is close to generate first network Key encryption information, and the first network cipher key encryption information carried and is sent in key updating successful information γ described the Two equipment;The key updating ending message ω that second equipment is fed back according to the first network cipher key encryption information is received, And use the first network key NK generatedNWK1The key updating ending message ω is verified, if being verified, Then complete network cryptographic key updating process;
Second equipment generates key updating response message β after receiving the key updating solicited message α, and The key updating response message β is sent to first equipment;It is carried in the key updating response message β:With institute It is encryption key to state security key ks, and identifies NRsID using the response that the predetermined encryption algorithm is encrypted;When receiving First equipment according to the key updating response message β feed back be updated successfully information after, asked based on the key updating Seek things mark NTrID, the security key ks, the go-between key K that information α is carriedNWK, response mark NRsID generates the second netkey NKNWK2, using second netkey to the go-between key that used originally KNWKIt is updated, and is based on second netkey, to being updated successfully the first network key NK carried in informationNWK1Add Confidential information is verified;After being verified, it is based on the second netkey NKNWK2Key updating ending message ω is generated, and The key updating ending message ω is sent to first equipment;
Wherein, the first network key NKNWK1With the second netkey NKNWK2It is identical.
In specific implementation, the first equipment and the second equipment are the both sides for carrying out wireless data communication;Such as in object In networking, the first equipment can be Internet of Things trust center server;Second equipment can be setting in Internet of Things to be added to It is standby, such as Intelligent lamp, intelligent door lock etc.;In addition, the initiator of network cryptographic key updating can be into the arbitrary of row data communication It is close to initiate network that is, all can serve as the first equipment in the application into either side in the both sides of row data communication by one side The newer process of key.
Network cryptographic key updating system provided by the present application includes following mistake when executing network cryptographic key updating Journey:
(1) first equipment can generate key updating solicited message α when the network cryptographic key updating process of initiation, and Send that information to the second equipment.Transaction Identifier NTrID is carried in key updating solicited message α, which has First equipment generates at random, and when being carried at α in key updating solicited message, using security key ks as encryption key, and It is encrypted using predetermined encryption algorithm.
Herein, security key ks is the key that the first equipment and the second equipment have been made an appointment.Security key ks into It will not be used when row data interaction.First equipment and the second equipment use netkey when carrying out data interaction.
Predetermined encryption algorithm can be set according to actual use demand, usually, symmetric key may be used and add Close algorithm, ciphering process and decrypting process can be using identical device keys k, the predetermined encryption algorithm:Superencipherment mark Accurate (Advanced Encryption Standard, AES) Encryption Algorithm, data encryption standards (Data Encryption Standard, DES) etc..
For example, using aes algorithm as predetermined encryption algorithm, things mark NTrID is encrypted, then:
The key updating solicited message α of generation meets formula:α=AESks(NTrID)。
In this example, it is for things mark NTrID is encrypted using aes algorithm, to using predetermined encryption to calculate Method is illustrated the things mark NTrID processes being encrypted;Similarly, it is also used during the embodiment of the present application is other Therefore identical aes algorithm repeats place, repeats no more.
In addition, in other examples, other Encryption Algorithm can also be used, it is only necessary to be related to during ensureing respectively pre- If Encryption Algorithm is consistent.
(2) second equipment receive the key updating solicited message α that the first equipment is sent, and generate key updating response message β gives key updating response message hair β to the first equipment.
Specifically, carrying response mark NRsID in key updating response message β, response mark NRsID is being carried When in key updating response message, using security key ks as encryption key, and it is encrypted using the predetermined encryption algorithm. Response mark NRsID is generated at random by the second equipment.
For example, using AES encryption algorithm as predetermined encryption algorithm, response mark NRsID is encrypted, then:
The key updating response message β of generation meets formula:β=AESks(NRsID)。
Herein, the second equipment, can also be safe to use close after the key updating solicited message α for receiving the transmission of the first equipment Encrypted things mark NTrID is decrypted in key ks, things after being decrypted mark NTrID, and by the things after decryption Mark NTrID is preserved.
(3) first equipment receive the key updating response message β that the second equipment is sent, and are sent receiving the second equipment Key updating response message after, key ks safe to use to encrypted response mark NRsID be decrypted, after being decrypted Response identifies NRsID, and the response mark NRsID after decryption is preserved.
After the response mark NRsID after being decrypted, things mark can be also generated at random using the first equipment NTrID, the response obtained from key updating response message β mark NRsID, security key ks and the first equipment preserve advance The go-between key K consultedNWK, generate first network key NKNWK1
Specifically, it is shown in Figure 2, in the embodiment of the present application, also provide a kind of first equipment generation first network key NKNWK1Specific method.First equipment is after the key updating response message β for receiving the transmission of the second equipment, according to following Step generates first network key NKNWK1
S201:Use go-between key KNWKXOR operation is carried out with security key ks, obtains the first encryption information KNWK ⊕ks。
Wherein, ⊕ indicates xor operator.
S202:The things is identified to response mark entrained in the NTrID and key updating response message β NRsID splices, and forms the first character string.
When specific implementation, things is identified into NTrID and response mark NRsID is attached, actually by things Mark NTrID and response mark NRsID are spliced, and the method for splicing can specifically be set according to actual needs.
For example, things mark NTrID is 32;It is 32 that response, which identifies NRsID, and things is identified NTrID and response Mark NRsID is spliced into one 128 character strings, and following any ways may be used and spliced:
NTrID||NTrID||NRsID||NRsID、NTrID||NRsID||NRsID||NTrID、NTrID||NRsID|| NTrID||NRsID、NRsID||NRsID||NTrID||NTrID、NRsID||NTrID||NRsID||NTrID、NRsID|| NTrID | | NTrID | | NRsID, NTrID | | NRsID | | NRsID | | NRsID ... etc., wherein " ‖ " indicates splicing.
That is, things mark NTrID and response identify NRsID when being attached to form character string, quantity is at least 1, Position can be set as needed.
S203:Using predetermined encryption algorithm, with the first encryption information KNWK⊕ ks be encryption key, to the first character string into Row encryption, generates first network key NKNWK1
For example, the response that 32 things are identified to NTrID and 32 identifies NRsID according to NTrID | | NTrID | | NRsID | | the mode of NRsID is attached, and 128 character strings of generation reuse aes algorithm, with the first encryption information KNWK⊕ ks are encrypted character string as encryption key, the first network key NK of generationNWK1Meet following formula:
First equipment generates first network key NKNWK1It afterwards, can be close by the network used when into row data communication originally Key replaces with first network key NKNWK1, that is, being updated to netkey.
After being updated to netkey, the first equipment can use first network key NKNWK1Key updating response is believed Entrained response mark NRsID is encrypted in breath β, generates first network cipher key encryption information.
Herein, the embodiment of the present application also provides a kind of use the first network key NKNWK1The key updating is answered It answers the response mark NRsID carried in information β and operation is encrypted, generate first network cipher key encryption information (NRsID ⊕ Tt1) NKNWK1Specific implementation mode.
In this embodiment, it is also carried in the key updating response message β transmitted by the second equipment safe to use close Encrypted second time stamp Ts of key kst1.After first equipment receives key updating response message β, meeting key ks safe to use is to close Encrypted second time stamp T carried in key update response message βt1It is decrypted, obtains the second time stamp Tt1, and to second Time stamp Tt1It is preserved.
Shown in Figure 3, the first equipment is specifically used for using the first network key NK according to following stepNWK1To institute It states the response mark NRsID carried in key updating response message β and operation is encrypted, generate first network cipher key encryption information (NRsID⊕Tt1)NKNWK1
S301:Use the second time stamp Tt1It is carried out with response mark NRsID entrained in key updating response message β different Or operation, generate first key verification information NRsID ⊕ Tt1
S302:Use first network key NKNWK1To carrying out first key verification information NRsID ⊕ Tt1Encryption generates life At first network cipher key encryption information (NRsID ⊕ Tt1)NKNWK1
Wherein, key updating successful information γ meets formula:
γ=(NRsID ⊕ Tt1)NKNWK1
(4) second equipment receive the key updating successful information γ that the first equipment is sent.Receiving key updating success It, can be according to things mark NTrID, security key ks, the mid-level net carried in the key updating solicited message α of preservation after information γ Network key KNWKThe response mark NRsID locally generated, generates the second netkey NKNWK2
Specifically, shown in Figure 4, the embodiment of the present application also provides a kind of second equipment generation the second netkey NKNWK2Specific method.This method includes:
S401:The go-between key K preserved using the second equipmentNWKXOR operation is carried out with security key ks, obtains the Two encryption information KNWK⊕ks。
S402:Response is identified to Transaction Identifier NTrID splicings entrained in NRsID and key updating solicited message α, Form the second character string.
S403:Using predetermined encryption algorithm, with the second encryption information KNWK⊕ ks be encryption key, to the second character string into Row encryption, generates the second netkey NKNWK2
Herein, the second equipment uses things mark NTrID, the response mark NRsID carried in key updating solicited message α The method for generating character string is completely the same, and the second equipment generates the second netkey NKNWK2Method it is also completely the same, tool Body refers to the corresponding embodiment descriptions of above-mentioned Fig. 2, is not repeating herein.
Second equipment generates the second netkey NKNWK2Later, the netkey that the second equipment used originally can be replaced For the second netkey NKNWK2, that is, being updated to netkey.After being updated to netkey, the second equipment can make With the second netkey NKNWK2To first network cipher key encryption information (NRsID ⊕ entrained in key updating successful information γ Tt1)NKNWK1It is decrypted, obtains first key verification information NRsID ⊕ Tt1.Second equipment obtains first key verification information NRsID⊕Tt1It afterwards, can be based on the response mark NRsID locally generated and the second time stamp Tt1, to first key verification information NRsID⊕Tt1It is verified.
Specifically, shown in Figure 5, the embodiment of the present application, which also provides, a kind of to be verified first key verification information Specific method:
S501:Use the second netkey NKNWK2To first network key entrained in key updating successful information γ Encryption information (NRsID ⊕ Tt1)NKNWK1It is decrypted, obtains first key verification information NRsID ⊕ Tt1, jump to S503.
S502:The second timestamp progress XOR operation that NRsID and the preservation of the second equipment are identified using response obtains second Key authentication information NRsID ⊕ Tt1, jump to S503.
S503:Whether the first key verification information and the second key authentication information that detection decryption obtains are consistent;If otherwise, Jump to S504;If so, jumping to S505.
S504:This key updating process is invalid.
S505:It is verified, continues the subsequent process of key updating.
Herein, the sequencing that S501 and S502 are not carried out can synchronize execution, can also asynchronous execution;S503 is wanted It is executed after the completion of S501 and S502 are performed both by.
Second equipment during this after detecting that first key verification information is consistent with the second key authentication information, really Recognize key updating success, the second netkey NK can be based onNWK2Generate key updating ending message ω.
Herein, the embodiment of the present application also provides a kind of specific embodiment party of second equipment generation key updating ending message ω Formula;
In this embodiment, also carried in key updating solicited message α key ks safe to use it is encrypted first when Between stab Ti1.For second equipment after receiving key updating solicited message, meeting key ks safe to use stabs encrypted first time Ti1It is decrypted, obtains and preserves stamp T at the first timei1
It is shown in Figure 6:Second equipment is specifically used for generating key updating ending message ω by following step:
S601:Use things mark NTrID, at the first time stamp Ti1XOR operation is carried out, third key authentication information is generated NTrID⊕Ti1
S602:Use the second netkey NKNWK2Third key authentication information is encrypted, the second netkey is generated Encryption information (NTrID ⊕ Ti1)NKNWK2
S603:Generate the key updating ending message ω;The second netkey is carried in key updating ending message ω Encryption information (NTrID ⊕ Ti1)NKNWK2
The key updating ending message ω then generated meets formula:
ω=(NTrID ⊕ Ti1)NKNWK2
(5) first equipment receive the key updating ending message ω that the second equipment is sent, and are receiving key updating knot After beam information, the first network key NK generated can be usedNWK1The key updating ending message ω is verified, if verification Pass through, then completes network cryptographic key updating process.
Specifically, shown in Figure 7, the first equipment uses the first network key NK generated by following stepNWK1It is right The key updating ending message ω is verified:
S701:The first network key NK generated using the first equipmentNWK1That key updating ending message ω is carried Two netkey encryption information are decrypted, and obtain the third key authentication information NTrID ⊕ Ti1.Jump to S703.
S702:T is stabbed using the first time of the things mark NTrID, the preservation of the first equipment that generate at randomi1Carry out exclusive or fortune It calculates, obtains the 4th key authentication information NTrID ⊕ Ti1.Jump to S703.
S703:It detects the obtained third key authentication information and whether the 4th key authentication information is consistent.If it is not, then Jump to S704;If so, jumping to S705.
S704:This key updating process is invalid.
S705:It is verified.
Herein, S701-S702 does not have sequencing, can synchronize execution, can also asynchronous execution;S703 will in S701 and S702 is executed after the completion of being performed both by.
Second equipment is after the third key authentication information that detection obtains is consistent with the 4th key authentication information, then close The newer all processes of key terminate, key updating success.
When any one above-mentioned process is interrupted, then stop entire key updating process, all mistakes before breaking in the process Journey is all invalid.For example, in process (4), the second equipment is to first key verification information NRsID ⊕ Tt1When, it detects First key verification information and the second key authentication information are inconsistent, then the second equipment can feed back first key as the first equipment and test Information Authentication failure news is demonstrate,proved, notifies the first device end whole network key updating process.
Can also include following processes in addition, in another embodiment of the application:
(6) first equipment are after being verified key updating ending message ω, due to first network key and the second net Network key is to be generated based on identical method, therefore the two is identical, and it is more to call first network key and the second netkey in the following text New successful netkey.First equipment is close using the network being updated successfully when subsequently carrying out data interaction with the second equipment Interactive information is encrypted in key.
In the embodiment of the present application, by repeatedly shaking hands between the first equipment and the second equipment, handed in a manner of encrypted first Mutual things mark is identified with response;After the first equipment obtains things mark and response mark, things mark, response mark can be based on Know and generate first network key, and be encrypted using updated first network key pair first key verification information, is sent To the second equipment;Second equipment can generate the second netkey using mode identical with the first equipment, and utilize the second net Network key pair is decrypted using the encrypted first key verification information of first network key, the information obtained after decryption with When the information that second equipment is calculated is consistent, illustrate the of first network key and the second equipment generation that the first equipment generates Two netkeys are consistent, and both complete the update of netkey, so avoid be used for a long time preset netkey into The information of row encryption interaction, and the leakage of interactive information is caused, improve the safety of wireless network communication in internet of things equipment.
The application also provides another network cryptographic key updating system, and in this more new system, the first equipment is set with second During standby progress network cryptographic key updating, the timeliness for verifying interaction data is needed, to ensure continuity and the safety of verification.
In the embodiment of the present application:The key updating solicited message α also carries key safe to use encrypted first Timestamp;
Second equipment is additionally operable to after receiving the key updating solicited message, and generates the key more Before new response message, T is stabbed to the encrypted first time using the security key ksi1It is decrypted, obtains described first Time stamp Ti1, and detect the first time stamp Ti1Whether the time difference between current time is less than preset first time Poor threshold value;T is stabbed detecting the first timei1Time difference between current time is less than poor threshold value of preset first time Afterwards, the key updating response message β is generated;
It is also carried in the key updating response message β and uses encrypted second time stamp Ts of the security key kst1
First equipment is additionally operable to after receiving the key updating response message β, and generate key updating at Before work(information γ, to encrypted second time stamp Tt1Decryption obtains second time stamp Tt1, and detect described second Time stamp Tt1Whether the time difference between current time is less than preset second time difference threshold value;When detecting described second Between stab between current time time difference be less than preset second time difference threshold value after, generate key updating successful information γ;
The encrypted third time stamp Ts of key ks safe to use are also carried in the key updating successful information γi2
Second equipment is additionally operable to after receiving the key updating successful information γ, and generates key updating Before ending message ω, using the security key ks to encrypted third time stamp Ti2It is decrypted, when obtaining the third Between stab Ti2, and detect the third time stamp Ti2Whether the time difference between current time is less than the preset third time difference Threshold value;Detecting the third time stamp Ti2After time difference between current time is less than preset third time difference threshold value, Generate the key updating ending message ω;
Encrypted 4th time stamp Ts of key ks safe to use are also carried in the key updating ending message ωt2
First equipment is additionally operable to after receiving key updating ending message ω, and is using described the generated Before one netkey verifies the key updating ending message ω, the security key ks will be used to encrypted the Four time stamp Tst2It is decrypted, obtains the 4th time stamp Tt2, and detect the 4th time stamp Tt2Between current time Time difference whether be less than preset 4th time difference threshold value;Detecting the 4th time stamp Tt2Between current time when Between difference be less than preset 4th time difference threshold value after, the key updating ending message ω is verified.
In specific implementation:
1., can also be safe to use close when the first equipment generates key updating solicited message α in the above process (1) Key ks stabs T to first timei1After being encrypted, carry in key updating solicited message α, and by key updating solicited message α It is sent to the second equipment.
At this point, key updating solicited message α meets formula:
α=AESks(NTrID)||(Ti1)ks。
2. in the above process (2), the second equipment, which receives, carries stamp T at the first timei1Key updating solicited message After α, key ks safe to use stabs T to the encrypted first time that key updating solicited message α is carriedi1It is decrypted, is solved First time after close stabs Ti1, detection first time stamp Ti1Whether the time difference between current time is less than preset first Time difference threshold value.If detecting stamp T at the first timei1Time difference between current time is less than poor threshold of preset first time Value, then it is effective that the second equipment, which receives key updating solicited message α, then executes process or the execution of follow-up authentication It is subsequently generated the process of key updating response message β.If detecting stamp T at the first timei1Time difference between current time is big In preset time difference threshold value, then it is invalid that the second equipment, which receives the first interactive information α, terminates current network key more New process.
Second equipment, can also ks pairs of the second timestamp of key safe to use when generating key updating response message β Tt1It is encrypted, generates encrypted second timestamp, and encrypted second timestamp is carried and is believed in key updating response It ceases in β.
At this point, key updating response message β meets formula:β=AESks(NRsID)||(Tt1)ks。
3. in the above process (3), the first equipment, which receives, carries encrypted second time stamp Tt1Key updating answer After answering information β, key ks safe to use is to encrypted second time stamp Tt1It is decrypted, the second timestamp after being decrypted Tt1, detect the second time stamp Tt1Whether the time difference between current time is less than preset second time difference threshold value;If detection To the second time stamp Tt1After time difference between current time is less than preset second time difference threshold value, it is close to generate the second network Key NKNWK2, and execute the process for being subsequently generated key updating successful information γ.If detecting the second time stamp Tt1With current time Between time difference be more than preset second time difference threshold value, then terminate the renewal process of current network key.
First equipment when generating key updating successful information γ, can also key ks safe to use to third timestamp Ti2It is encrypted, generates encrypted third timestamp, and encrypted third timestamp is carried and is successfully believed in key updating It ceases in γ.
At this point, key updating successful information γ meets formula:
γ=(NRsID ⊕ Tt1)NKNWK1||(Ti2)ks。
4. in the above process 4, the second equipment, which receives, carries encrypted third time stamp Ti2Key updating success After information γ, key ks safe to use is to encrypted third time stamp Ti2It is decrypted, the third timestamp after being decrypted Ti2, detect third time stamp Ti2Whether the time difference between current time is less than preset third time difference threshold value;If detection To third time stamp Ti2After time difference between current time is less than preset third time difference threshold value, key updating knot is generated Beam information ω.If detecting third time stamp Ti2Time difference between current time is more than preset third time difference threshold value, Then terminate the renewal process of current network key.
Second equipment, can also ks pairs of the 4th timestamp of key safe to use when generating key updating ending message ω Tt2It is encrypted, generates encrypted 4th timestamp, and encrypted 4th timestamp is carried and terminates letter in key updating It ceases in ω.
At this point, key updating ending message ω meets formula:
ω=(NTrID ⊕ Ti1)NKNWK2||(Tt2)ks。
5. in the above process (5), the first equipment, which receives, carries encrypted 4th time stamp Tt2Key updating knot After beam information ω, key ks safe to use is to encrypted 4th time stamp Tt2It is decrypted, the 4th timestamp after being decrypted Tt2, detect the 4th time stamp Tt2Whether the time difference between current time is less than preset 4th time difference threshold value;If detection To the 4th time stamp Tt2After time difference between current time is less than preset 4th time difference threshold value, key updating knot is carried out The step of beam information ω verifications.If detecting the 4th time stamp Tt2When time difference between current time is more than the preset 4th Between poor threshold value, then terminate the renewal process of current network key.
The embodiment of the present application is sent out during network cryptographic key updating after being encrypted to timestamp using security key It goes.Detection to timestamp avoids information exchange overtime, and attacker during this period of time intercepts one sent again after interactive information Information, so as to further ensure the safety of wireless network communication.
The embodiment of the present application also provides another network cryptographic key updating system, in this more new system, the first equipment with During second equipment carries out key updating, need to be authenticated mutual identity.Specifically,
The first authentication information is also carried in the key updating solicited message α;
The identity information of first equipment is generated in advance in first equipment;First authentication information is described First equipment carries out 1 Hash operation to the identity information and obtains;
Second equipment pre-saves the identity information of first equipment;
Second equipment is additionally operable to before generating key updating response message β, is set to described first pre-saved Standby identity information carries out 1 Hash operation, and detect the identity information of the first equipment for having carried out 1 Hash operation with it is described Whether the first authentication information carried in key updating solicited message α is consistent;1 Hash operation has been carried out detecting The identity information of first equipment is consistent with the first authentication information carried in the key updating solicited message α of acquisition Afterwards, the key updating response message β is generated;
And
The second authentication information of second equipment is also carried in the key updating response message β;
The identity information of second equipment is generated in advance in second equipment;Second authentication information is described The identity information of second equipment carries out 1 Hash operation and obtains;
First equipment pre-saves the identity information of second equipment;
First equipment is additionally operable to before generating key updating successful information γ, is believed the identity of second equipment Breath carries out 1 Hash operation, and detects the identity information for the second equipment for having carried out 1 Hash operation and the key updating is answered Whether consistent answer the second authentication information carried in information β;Detecting the second equipment for having carried out 1 Hash operation After identity information is consistent with the second authentication information carried in the key updating solicited message α of acquisition, described in generation Key updating successful information γ.
Specifically, the identity information of the first equipment is:First equipment carries out m times according to the first secret seed generated at random Hash operation obtains.The identity information of first equipment is expressed as:(ID, hm(Si))。
The identity information of second equipment is:Second equipment carries out s Hash fortune according to the second secret seed generated at random It obtains.The identity information of second equipment is expressed as:(ID, hs(St))。
When the first equipment and the second equipment carry out netkey negotiation, the first equipment after generating its identity information, Its identity information can outwardly be broadcasted so that the second equipment can be according to the first equipment of information acquisition of the broadcast of the first equipment Identity information, and by the identity information of the first equipment preserve;And second equipment after generating its identity information, same meeting Its identity information is sent to the first equipment so that the second equipment of information acquisition that the first equipment can be sent according to the second equipment Identity information, and by the identity information of the second equipment preserve, used when key updating.
In carrying out key updating process:
I, the above process (1) or process 2. in, the first equipment is additionally operable to generate the first authentication information, by first Authentication information carrying in α, then will carry the key of the first authentication information more in key updating solicited message New solicited message α is sent to the second equipment.First authentication information is by the identity information h of the first equipmentm(Si) it carries out 1 time What Hash operation obtained, the first authentication information generated can be expressed as hm+1(Si)。
After then first authentication information is carried in key updating solicited message α, key updating solicited message α is full Sufficient formula:
α=AESks(NTrID)||(Ti1)ks||hm+1(Si)。
II, the above process (2) or process 2. in, the second equipment carries the first body receive the transmission of the first equipment After the key updating solicited message α of part authentication information, identity information that be based on the first equipment obtained and key updating The first authentication information carried in solicited message α, is authenticated the identity of the first equipment, after certification passes through, can just give birth to At key updating response message β.
Specifically, the second equipment is by the identity information h of the first equipment pre-savedm(Si) 1 Hash operation is carried out, and The the first authentication information h that will be carried in identity information and key updating solicited message α Jing Guo 1 Hash operationm+1(Si) It is compared, if the two is consistent, the authentication of the first equipment is passed through.
Second equipment can also generate the second authentication letter before sending key updating response message β to the first equipment Breath, and the second authentication information is carried in key updating response message β.
Second authentication information is by the identity information h of the second equipments(St) carry out what 1 Hash operation obtained.Institute The second authentication information generated can be expressed as hs+1(St).Second authentication information is carried and is answered in key updating After answering in information β, key updating response message β meets formula:
β=AESks(NRsID)||(Tt1)ks||hs+1(St)。
III, the above process (3) or process 3. in, the first equipment carries second receive the transmission of the second equipment After the key updating response message β of authentication information, identity information and key that be based on the second equipment obtained are more The second authentication information carried in new response message β, is authenticated the identity of the first equipment, after certification passes through, just meeting Generate key updating successful information γ.
Specifically, the first equipment is by the identity information h of the second equipment pre-saveds(St) 1 Hash operation is carried out, and The the second authentication information h that will be carried in identity information and key updating response message β Jing Guo 1 Hash operations+1(St) It is compared, if the two is consistent, the authentication of the second equipment is passed through.
In the embodiment of the present application, by repeatedly shaking hands between the first equipment and the second equipment, not only handed in a manner of encrypted Mutual things mark and response mark, will also utilize the body of hash chain pair the first equipment and the second equipment in multiple handshake procedure Part is authenticated, and after certification passes through, and can just execute follow-up corresponding operation, and then attacker can be avoided in the first equipment During carrying out network cryptographic key updating with the second equipment, the identity for palming off the first equipment or the second equipment is added to netkey Renewal process steals newer netkey between the first equipment and the second equipment, to improve the safety of wireless communication Property.
The go-between key K consulted in advance that first equipment and second equipment preserveNWK, can be artificial Setting, and be pre-stored in the first equipment and the second equipment;When the first equipment and the second equipment to be used, directly obtain It takes;It can also be held consultation using following manner:
First interactive information α ' for generating the first interactive information α ', and is sent to the second equipment by the first equipment;First Interactive information α ' is carried:The encrypted first round information of key ks safe to use;It receives the second equipment and receives the first interaction letter The second interactive information β ' that breath α ' is sent afterwards;It is raw based on first round information, the second wheel information of the second middle carryings of interactive information β ' At occasional transmission key;The go-between key K generated at random using occasional transmission key pairNWKIt is encrypted, generates mid-level net Network cipher key encryption information;By go-between key KNWKEncryption information carries in third interactive information γ ', is sent to second and sets It is standby;Fourth interactive information ω ' of second equipment based on third interactive information γ ' transmissions is received, and based on the centre generated at random Netkey KNWK4th interactive information ω ' is verified, if being verified, completes the go-between between the second equipment Key KNWKNegotiation;
Second equipment generates the second interactive information β ', and by the second interactive information after receiving the first interactive information α ' β ' is sent to the first equipment;Second interactive information β ' is carried:The encrypted second wheel information of key ks safe to use;Receive first Equipment is according to the third interactive information γ ' of the second interactive information β ' transmissions;The first round based on the first middle carryings of interactive information α ' Information and the second wheel information, generate occasional transmission key, and based on netkey encryption information between occasional transmission cipher key pair It is decrypted, obtains go-between key KNWK;Based on go-between key KNWKGenerate the 4th interactive information ω ', and to first Equipment sends the 4th interactive information ω '.
Wherein, the second equipment is previously stored with key bitmask;Key bitmask includes at least three cipher key index;Often A cipher key index corresponds to a device keys;
The encrypted key bitmask of key safe to use is also carried in second interactive information β ';
First equipment is additionally operable to after receiving the second interactive information β ', and key pair key bitmask safe to use carries out Decryption, and determine a cipher key index from the key bitmask middle finger after the decryption obtained;And it is generated by following step interim Transmission key:
By first round information and the second wheel information connection of the second middle carryings of interactive information β ', character string is formed;
Using predetermined encryption algorithm, using the specified corresponding device keys ks of cipher key index of the first equipment as encryption key, Character string is encrypted, occasional transmission key is generated;
And the specified cipher key index of ks pairs of the first equipment of key safe to use is encrypted, and by encrypted key rope Draw carrying in third interactive information γ ';
Second equipment is receiving third interactive information γ ' later, what the first equipment of key pair encryption safe to use was specified Cipher key index is decrypted, and obtains the specified cipher key index of the first equipment;And it is close by following step generation occasional transmission Key:
By the first round information of the first middle carryings of interactive information α ' and the second wheel information connection, character string is formed;
For using predetermined encryption algorithm, with the specified cipher key index of the first equipment of the middle carryings of third interactive information γ ' Corresponding device keys are encryption key, and character string is encrypted, and generate occasional transmission key.
Based on same inventive concept, it is close that network corresponding with network cryptographic key updating system is additionally provided in the embodiment of the present application Key update method, the principle solved the problems, such as due to the method in the embodiment of the present application and the above-mentioned netkey of the embodiment of the present application are more New system is similar, and because the implementation of the method may refer to the implementation of system, overlaps will not be repeated.
It is shown in Figure 8, network cryptographic key updating method provided by the embodiments of the present application, for carrying out network cryptographic key updating First equipment, this method include:
S801:Key updating solicited message α is generated, and key updating solicited message α is sent to the second equipment, key is more It is carried in new solicited message α:Using security key ks as encryption key, and identified using the encrypted things of predetermined encryption algorithm NTrID;Key updating solicited message α is used to indicate the second equipment and generates key updating response message β;
S802:Receive the key updating response message β of the second equipment transmission;Peace is carried in key updating response message β Full key ks is encryption key, and identifies NRsID using the response that predetermined encryption algorithm is encrypted;
S803:The go-between key consulted in advance preserved with the second equipment based on security key ks, the first equipment KNWK, the response that carries of things mark NTrID, key updating response message β identify NRsID, generate first network key NKNWK1
S804:Use first network key NKNWK1, to the response that is carried in key updating response message β identify NRsID into Row cryptographic calculation, generate first network cipher key encryption information, and by first network cipher key encryption information carry key updating at It is sent to the second equipment in work(information γ;
S805:The key updating that the second equipment is sent after being verified first network cipher key encryption information is received to terminate Information ω, and use first network key NKNWK1Key updating ending message ω is verified, if being verified, is completed Network cryptographic key updating process.
In the embodiment of the present application, things mark is sent to the second equipment by the first equipment first in a manner of encrypted. After one equipment obtains things mark and response mark, things mark can be based on, response mark generates first network key, and uses Updated first network key pair first key verification information is encrypted, and is sent to the second equipment;First equipment can also It goes to substitute original netkey by newer netkey, and then avoids the preset netkey of long-time service and added The information of close interaction, and the leakage of interactive information is caused, improve the safety of wireless network communication in internet of things equipment.
Optionally, in another embodiment of the application, security key ks, go-between key K are based onNWK, things mark The response mark NRsID carried in NTrID, key updating response message β, generates first network key NKNWK1, specifically include:
Use go-between key KNWKXOR operation is carried out with security key ks, obtains the first encryption information;
Things is identified to NRsID splicings entrained in NTrID and key updating response message β, forms the first character String;
Using predetermined encryption algorithm, using the first encryption information as encryption key, the first character string is encrypted, generates the One netkey NKNWK1
Optionally, in another embodiment of the application, using being carried in first network key pair key updating response message β Response mark NRsID be encrypted operation, generate first network cipher key encryption information, specifically include:
XOR operation is carried out using response mark NRsID entrained in the second timestamp and key updating response message β, Generate first key verification information;
Use first network key NKNWK1To carrying out first key verification information encryption, the encryption of first network key is generated Information.
Optionally, in another embodiment of the application, key updating solicited message α also carries key ks safe to use and adds Close first time stamp;
First network key NK based on generationNWK1Key updating ending message ω is verified, is specifically included:
The first network key NK generated using the first equipmentNWK1The second network that key updating ending message ω is carried Cipher key encryption information is decrypted, and obtains third key authentication information;
And
XOR operation is carried out using the first time stamp of the things mark NTrID, the preservation of the first equipment that generate at random, is obtained 4th key authentication information;
It detects obtained third key authentication information and whether the 4th key authentication information is consistent;
If the two is consistent, it is verified.
Optionally, in another embodiment of the application, network cryptographic key updating method further includes:
After receiving key updating response message β, and before generation key updating successful information γ, to encrypted second Timestamp is decrypted, and the second timestamp is obtained, and whether detects the time difference between the second timestamp and current time less than default Second time threshold;Detecting that the time difference between the second timestamp and current time is less than preset second time threshold Afterwards, first network key NK is generatedNWK1
The encrypted third timestamp of key safe to use is also carried in key updating successful information γ;
After receiving key updating ending message ω, and using the first network key NK generatedNWK1More to key Before new ending message ω is verified, encrypted 4th timestamp is decrypted in key ks safe to use, obtains the 4th Timestamp, and detect whether the time difference between the 4th timestamp and current time is less than preset 4th time difference threshold value; The time difference between the 4th timestamp and current time is detected less than after preset 4th time difference threshold value, key updating is terminated Information ω is verified.
Optionally, in another embodiment of the application, the first authentication letter is also carried in key updating solicited message α Breath, this method further include:
Generate the identity information of the first equipment;First authentication information is that the first equipment carries out 1 Kazakhstan to identity information Uncommon operation obtains;
Pre-save the identity information of the second equipment;
Before generating key updating successful information γ, 1 Hash operation is carried out to the identity information of the second equipment, and examine The identity information for surveying the second equipment for having carried out 1 Hash operation is recognized with the second identity carried in key updating response message β Whether consistent demonstrate,prove information;In the key updating for the identity information and acquisition for detecting the second equipment for having carried out 1 Hash operation After the second authentication information for being carried in solicited message α is consistent, key updating successful information γ is generated.
It is shown in Figure 9, network cryptographic key updating method provided by the embodiments of the present application, for carrying out network cryptographic key updating Second equipment, this method include:
S901:After receiving key updating solicited message α, key updating response message β is generated, and key updating response is believed Breath β is sent to the first equipment;It is carried in key updating response message β:Using security key as encryption key, and added using default Close algorithm, the response mark NRsID being encrypted;
S902:The things mark NTrID that is carried based on key updating solicited message α, security key ks, the first equipment and the The go-between key K consulted in advance that two equipment preserveNWK, response identify NRsID, generate the second netkey NKNWK2
S903:Use the second netkey NKNWK2, to the first net carried in the key updating successful information γ that receives Operation is decrypted in network cipher key encryption information, obtains first network cipher key encryption information;
S904:First network cipher key encryption information is verified, after being verified, key updating is generated based on the second netkey Ending message ω, and send key updating ending message ω to the first equipment.
In the embodiment of the present application, response mark is sent to the first equipment by the second equipment first in a manner of encrypted. After two equipment obtain things mark and response mark, things mark can be based on, response mark generates the second netkey, and uses Updated the second key authentication of second netkey pair information is encrypted, and is sent to the first equipment;Second equipment can also It goes to substitute original netkey by newer netkey, and then avoids the preset netkey of long-time service and added The information of close interaction, and the leakage of interactive information is caused, improve the safety of wireless network communication in internet of things equipment.
Optionally, in another embodiment of the application, the things mark NTrID that is carried based on key updating solicited message α, Security key ks, go-between key KNWK, response identify NRsID, generate the second netkey, specifically include:
Use go-between key KNWKXOR operation is carried out with security key ks, obtains the second encryption information;
Response is identified to Transaction Identifier splicing entrained in NRsID and key updating solicited message α, forms the second word Symbol string;
Using predetermined encryption algorithm, using the second encryption information as encryption key, the second character string is encrypted, generates the Two netkeys.
Optionally, it in another embodiment of the application, is also carried in the key updating response message safe to use close Encrypted second timestamp of key;
It verifies, specifically includes to being updated successfully the first network cipher key encryption information carried in information:
First network key entrained in the key updating successful information γ is added using second netkey Confidential information is decrypted, and obtains the first key verification information;And
XOR operation is carried out using response mark NRsID with second timestamp that second equipment preserves to obtain To the second key authentication information;
Whether the first key verification information and the second key authentication information that detection decryption obtains are consistent;
If the two is consistent, it is verified.
Optionally, in another embodiment of the application, key updating ending message ω, tool are generated based on the second netkey Body includes:
Using things mark NTrID, stamp carries out XOR operation at the first time, generates third key authentication information;
Third key authentication information is encrypted using the second netkey, generates the second netkey encryption information;
Generate key updating ending message ω;The second netkey encryption information is carried in key updating ending message ω.
Optionally, in another embodiment of the application, network cryptographic key updating method further includes:
It is safe to use close after receiving key updating solicited message α, and before the generation key updating response message β Stamp of encrypted first time is decrypted in key ks, obtains and stabs at the first time, and detects at the first time between stamp and current time Time difference whether be less than poor threshold value of preset first time;It is small in time difference of the detection at the first time between stamp and current time After poor threshold value of preset first time, key updating response message is generated;
Encrypted second timestamps of key ks safe to use are also carried in key updating response message β;
After receiving key updating successful information γ, before generating key updating ending message ω, key safe to use Encrypted third timestamp is decrypted in ks, obtains third timestamp, and detect between third timestamp and current time Whether the time difference is less than preset third time difference threshold value;Time difference between detection third timestamp and current time is less than After preset third time difference threshold value, key updating ending message ω is generated.
Optionally, in another embodiment of the application, network cryptographic key updating method further includes:
Before generating key updating response message, 1 Hash is carried out to the identity information of the first equipment pre-saved Operation, and detect the carried in the identity information of the first equipment for having carried out 1 Hash operation and key updating solicited message α Whether one authentication information is consistent;In the identity information for detecting the first equipment for having carried out 1 Hash operation and acquisition After the first authentication information for being carried in key updating solicited message α is consistent, key updating response message β is generated.
Encrypted 4th timestamp of key safe to use is also carried in the key updating ending message ω;
Optionally, in another embodiment of the application, the second equipment pre-saves the identity information of the first equipment;
Before generating key updating response message β, 1 Hash is carried out to the identity information of the first equipment pre-saved Operation, and detect the carried in the identity information of the first equipment for having carried out 1 Hash operation and key updating solicited message Whether one authentication information is consistent;In the identity information for detecting the first equipment for having carried out 1 Hash operation and acquisition After the first authentication information for being carried in key updating solicited message is consistent, key updating response message β is generated;
And
The second authentication information of the second equipment is also carried in key updating response message β;
The identity information of the second equipment is generated in advance;Second authentication information is that the identity information of the second equipment carries out 1 Secondary Hash operation obtains;
The embodiment of the present application also provides a kind of network cryptographic key updating device, for executing 8 embodiment of the method for above-mentioned corresponding diagram The step of, the network cryptographic key updating system which is used to be made of the first equipment and the second equipment, and it is mounted on the first equipment In, which includes:
First interactive module, is used for:Key updating solicited message is generated, and key updating solicited message is sent to second Interactive module carries in key updating solicited message:Using security key as encryption key, and encrypted using predetermined encryption algorithm Things mark;Key updating solicited message is used to indicate the second interactive module and generates key updating response message;Receive second The key updating response message that interactive module is sent;It is encryption key that security key is carried in key updating response message, and It is identified using the response that predetermined encryption algorithm is encrypted;It is protected based on security key, the first interactive module and the second interactive module The response mark that the go-between key consulted in advance, things mark, the key updating response message deposited carry, generates first Netkey;Using first network key, operation is encrypted to the response mark carried in key updating response message, is generated First network cipher key encryption information, and first network cipher key encryption information carried and is sent in key updating successful information the Two interactive modules;Receive the key updating knot that the second interactive module is sent after being verified to first network cipher key encryption information Beam information, and verified using first network key pair key updating ending message, if being verified, complete netkey Renewal process.
Optionally, in another embodiment of the application, the first interactive module is additionally operable to be based on according to following step safe close Key ks, go-between key KNWK, things mark NTrID, the response mark NRsID carried in key updating response message β, it is raw At first network key NKNWK1
XOR operation is carried out using netkey and security key ks, obtains the first encryption information;
Things is identified to NRsID splicings entrained in NTrID and key updating response message β, forms the first character String;
Using predetermined encryption algorithm, using the first encryption information as encryption key, the first character string is encrypted, generates the One netkey NKNWK1
Optionally, in another embodiment of the application, the first module is additionally operable to:
Operation is encrypted using the response mark NRsID carried in first network key pair key updating response message β, First network cipher key encryption information is generated, is specifically included:
XOR operation is carried out using response mark NRsID entrained in the second timestamp and key updating response message β, Generate first key verification information;
Use first network key NKNWK1To carrying out first key verification information encryption, the encryption of first network key is generated Information.
Optionally, in another embodiment of the application, key updating solicited message α also carries key ks safe to use and adds Close first time stamp;
First interactive module is additionally operable to the first network key NK based on generation according to following stepNWK1To key updating Ending message ω is verified:
The first network key NK generated using the first equipmentNWK1The second network that key updating ending message ω is carried Cipher key encryption information is decrypted, and obtains third key authentication information;
And
XOR operation is carried out using the first time stamp of the things mark NTrID, the preservation of the first equipment that generate at random, is obtained 4th key authentication information;
It detects obtained third key authentication information and whether the 4th key authentication information is consistent;
If the two is consistent, it is verified.
Optionally, in another embodiment of the application, the first interactive module is additionally operable to:
After receiving key updating response message β, and before generation key updating successful information γ, to encrypted second Timestamp is decrypted, and the second timestamp is obtained, and whether detects the time difference between the second timestamp and current time less than default Second time threshold;Detecting that the time difference between the second timestamp and current time is less than preset second time difference threshold After value, first network key NK is generatedNWK1
The encrypted third timestamp of key safe to use is also carried in key updating successful information γ;
After receiving key updating ending message ω, and using the first network key NK generatedNWK1More to key Before new ending message ω is verified, encrypted 4th timestamp is decrypted in key ks safe to use, obtains the 4th Timestamp, and detect whether the time difference between the 4th timestamp and current time is less than preset 4th time difference threshold value; The time difference between the 4th timestamp and current time is detected less than after preset 4th time difference threshold value, key updating is terminated Information ω is verified.
Optionally, in another embodiment of the application, the first authentication letter is also carried in key updating solicited message α Breath;
First interactive module, is additionally operable to:
Generate the identity information of the first equipment;First authentication information is that the first equipment carries out 1 Kazakhstan to identity information Uncommon operation obtains;
Pre-save the identity information of the second equipment;
Before generating key updating successful information γ, 1 Hash operation is carried out to the identity information of the second equipment, and examine The identity information for surveying the second equipment for having carried out 1 Hash operation is recognized with the second identity carried in key updating response message β Whether consistent demonstrate,prove information;In the key updating for the identity information and acquisition for detecting the second equipment for having carried out 1 Hash operation After the second authentication information for being carried in solicited message α is consistent, key updating successful information γ is generated.
The embodiment of the present application also provides a kind of network cryptographic key updating device, for executing 9 embodiment of the method for above-mentioned corresponding diagram The step of, the network cryptographic key updating system which is used to be made of the first interactive module and the second interactive module, and be mounted on In second equipment, which includes:
Second interactive module, is used for:After receiving key updating solicited message, key updating response message is generated, and will be close Key update response message is sent to the first interactive module;It is carried in key updating response message:It is that encryption is close with security key Key, and predetermined encryption algorithm is used, the response mark being encrypted;Identified based on the things that key updating solicited message carries, Security key, the first interactive module and the go-between key of the second interactive module preservation consulted in advance, response identify, raw At the second netkey;Using second netkey, to the first net carried in the key updating successful information that receives Operation is decrypted in network cipher key encryption information, obtains the first network cipher key encryption information;Verify the first network key Encryption information after being verified, generates key updating ending message, and to first equipment based on second netkey Send the key updating ending message.
Optionally, in another embodiment of the application, the second interactive module is specifically used for being based on key according to following step Update things mark NTrID, security key ks, go-between key K that solicited message α is carriedNWK, response identify NRsID, it is raw At the second netkey:
XOR operation is carried out using netkey and security key ks, obtains the second encryption information;
Response is identified to Transaction Identifier splicing entrained in NRsID and key updating solicited message α, forms the second word Symbol string;
Using predetermined encryption algorithm, using the second encryption information as encryption key, the second character string is encrypted, generates the Two netkeys.
Optionally, it in another embodiment of the application, is also carried in the key updating response message safe to use close Encrypted second timestamp of key;
Second interactive module, specifically for being added to being updated successfully the first network key carried in information according to following step Confidential information is verified:
First network key entrained in the key updating successful information γ is added using second netkey Confidential information is decrypted, and obtains the first key verification information;And
XOR operation is carried out using response mark NRsID with second timestamp that second equipment preserves to obtain To the second key authentication information;
Whether the first key verification information and the second key authentication information that detection decryption obtains are consistent;
If the two is consistent, it is verified.
Optionally, in another embodiment of the application, the second interactive module is specifically used for being based on second according to following step Netkey generates key updating ending message ω:
Using things mark NTrID, stamp carries out XOR operation at the first time, generates third key authentication information;
Third key authentication information is encrypted using the second netkey, generates the second netkey encryption information;
Generate key updating ending message ω;The second netkey encryption information is carried in key updating ending message ω.
Optionally, in another embodiment of the application, the second interactive module is additionally operable to:
It is safe to use close after receiving key updating solicited message α, and before the generation key updating response message β Stamp of encrypted first time is decrypted in key ks, obtains and stabs at the first time, and detects at the first time between stamp and current time Time difference whether be less than poor threshold value of preset first time;It is small in time difference of the detection at the first time between stamp and current time After poor threshold value of preset first time, the second netkey is generated;
The second timestamp using the secure key encryption is also carried in the key updating response message β;
After receiving key updating successful information γ, before generating key updating ending message ω, key safe to use Encrypted third timestamp is decrypted in ks, obtains third timestamp, and detect between third timestamp and current time Whether the time difference is less than preset third time difference threshold value;Time difference between detection third timestamp and current time is less than After preset third time difference threshold value, key updating ending message ω is generated.
Optionally, in another embodiment of the application, the second interactive module is additionally operable to:
Before generating key updating response message β, 1 Hash is carried out to the identity information of the first equipment pre-saved Operation, and detect the carried in the identity information of the first equipment for having carried out 1 Hash operation and key updating solicited message α Whether one authentication information is consistent;In the identity information for detecting the first equipment for having carried out 1 Hash operation and acquisition After the first authentication information for being carried in key updating solicited message α is consistent, key updating response message β is generated.
Encrypted 4th timestamp of key safe to use is also carried in the key updating ending message;
Optionally, in another embodiment of the application, the second interactive module is additionally operable to:Pre-save the body of the first equipment Part information;
Before generating key updating response message, 1 Hash is carried out to the identity information of the first equipment pre-saved Operation, and detect the carried in the identity information of the first equipment for having carried out 1 Hash operation and key updating solicited message Whether one authentication information is consistent;In the identity information for detecting the first equipment for having carried out 1 Hash operation and acquisition After the first authentication information for being carried in key updating solicited message is consistent, key updating response message is generated;
And
The second authentication information of the second equipment is also carried in key updating response message;
The identity information of the second equipment is generated in advance;Second authentication information is that the identity information of the second equipment carries out 1 Secondary Hash operation obtains;
Corresponding to the network cryptographic key updating method in Fig. 4 and Fig. 5, the embodiment of the present application also provides a kind of computers to set Standby 100, as shown in Figure 10, which includes memory 101, processor 102 and is stored on the memory 101 and can be at this The computer program run on reason device 102, wherein above-mentioned processor 102 realizes above-mentioned network when executing above computer program The step of key updating method.
Specifically, above-mentioned memory 101 and processor 102 can be general memory 101 and processor 102, here It is not specifically limited, when the computer program of 102 run memory 101 of processor storage, is able to carry out above-mentioned netkey Update method, and then avoid the preset netkey of long-time service and interactive information is encrypted, and cause interactive information Leakage improves the safety of wireless network communication in internet of things equipment.
Corresponding to the network cryptographic key updating method in Fig. 4 and Fig. 5, the embodiment of the present application also provides a kind of computers can Storage medium is read, is stored with computer program on the computer readable storage medium, which is run by processor 102 The step of Shi Zhihang above-mentioned network cryptographic key updating methods.
Specifically, which can be general storage medium, such as mobile disk, hard disk, on the storage medium Computer program when being run, above-mentioned network cryptographic key updating method is able to carry out, to avoid using preset key for a long time And information leakage is caused, improve the safety of wireless network communication in internet of things equipment.
The computer program product for the progress network cryptographic key updating method that the embodiment of the present application is provided, including store journey The computer readable storage medium of sequence code, the instruction that program code includes can be used for executing the side in previous methods embodiment Method, specific implementation can be found in embodiment of the method, and details are not described herein.
The network cryptographic key updating device that the embodiment of the present application is provided can be equipment on specific hardware or be installed on Software or firmware in equipment etc..The technique effect of the device that the embodiment of the present application is provided, realization principle and generation is with before It is identical to state embodiment of the method, to briefly describe, device embodiment part does not refer to place, can refer to phase in preceding method embodiment Answer content.It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit can refer to the corresponding process in above method embodiment, and details are not described herein.
In embodiment provided herein, it should be understood that disclosed device and method, it can be by others side Formula is realized.The apparatus embodiments described above are merely exemplary, for example, the division of unit, only a kind of logic work( It can divide, formula that in actual implementation, there may be another division manner, in another example, multiple units or component can combine or can collect At to another system, or some features can be ignored or not executed.Another point, shown or discussed mutual coupling Close or direct-coupling or communication connection can be by some communication interfaces, the INDIRECT COUPLING or communication connection of device or unit, Can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, and be shown as unit Component may or may not be physical unit, you can be located at a place, or may be distributed over multiple networks On unit.Some or all of unit therein can be selected according to the actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in embodiment provided by the present application can be integrated in a processing unit, also may be used It, can also be during two or more units be integrated in one unit to be that each unit physically exists alone.
If function is realized in the form of SFU software functional unit and when sold or used as an independent product, can store In a computer read/write memory medium.Based on this understanding, the technical solution of the application is substantially in other words to existing There is the part for the part or the technical solution that technology contributes that can be expressed in the form of software products, the computer Software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be personal meter Calculation machine, server or network equipment etc.) execute each embodiment method of the application all or part of step.And it is above-mentioned Storage medium includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory The various media that can store program code such as (RAM, Random Access Memory), magnetic disc or CD.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi It is defined, then it further need not be defined and explained in subsequent attached drawing in a attached drawing, in addition, term " the One ", " second ", " third " etc. are only used for distinguishing description, are not understood to indicate or imply relative importance.
Finally it should be noted that:Above example, the only specific implementation mode of the application, to illustrate the skill of the application Art scheme, rather than its limitations, the protection domain of the application are not limited thereto, although with reference to the foregoing embodiments to the application into Go detailed description, it will be understood by those of ordinary skill in the art that:Any one skilled in the art is at this Apply in the technical scope disclosed, still can modify or can be thought easily to the technical solution recorded in previous embodiment To variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make corresponding The essence of technical solution is detached from the spirit and scope of the embodiment of the present application technical solution.The protection domain in the application should all be covered Within.Therefore, the protection domain of the application should be subject to the protection scope in claims.

Claims (10)

1. a kind of network cryptographic key updating system, which is characterized in that including:It is set into the first equipment of row data communication and second It is standby;
First equipment and second equipment preserve the go-between key consulted in advance;
First equipment is sent to second for generating key updating solicited message, and by the key updating solicited message Equipment carries in the key updating solicited message:Using security key as encryption key, and encrypted using predetermined encryption algorithm Things mark;It is answered when receiving the key updating for carrying out response to the key updating solicited message that second equipment is sent After answering information, based on the security key, the go-between key, things mark, the key updating response message The response of middle carrying identifies, and generates first network key, and the go-between used originally using the first network key pair Key is updated;And using the response carried in key updating response message described in the first network key pair identify into Row cryptographic calculation, generate first network cipher key encryption information, and by the first network cipher key encryption information carry key more It is sent to second equipment in new successful information;It is anti-according to the first network cipher key encryption information to receive second equipment The key updating ending message of feedback, and key updating ending message described in the first network key pair using generation is tested Card, if being verified, completes network cryptographic key updating process;
Second equipment generates key updating response message, and will be described after receiving the key updating solicited message Key updating response message is sent to first equipment;It is carried in the key updating response message:It is close with the safety Key is encryption key, and is identified using the response that the predetermined encryption algorithm is encrypted;When receiving the first equipment root After key updating successful information according to key updating response message feedback, carried based on the key updating solicited message Things mark, the security key, the go-between key, response mark, generate the second netkey, using described Second netkey is updated the netkey used originally, and is based on second netkey, more to key The first network key encryption letter carried in new successful information is verified;After being verified, it is based on second netkey Key updating ending message is generated, and the key updating ending message is sent to first equipment;
Wherein, the first network key is identical with second netkey.
2. system according to claim 1, which is characterized in that first equipment is specifically used for being based on by following step The response mark carried in the security key, the go-between key, things mark, the key updating response message Know, generates first network key:
The go-between key preserved using the first equipment carries out XOR operation with the security key, obtains the first encryption letter Breath;
By the things identify and the key updating response message in entrained response identify splicing, form the first character String;
Using predetermined encryption algorithm, using first encryption information as encryption key, first character string is encrypted, it is raw At the first network key;
Second equipment is identified based on the things that the key updating solicited message carries specifically for passing through following step, is described Security key, the go-between key, response mark, generate the second netkey:
The go-between key preserved using the second equipment carries out XOR operation with the security key, obtains the second encryption Information;
By the response identify and the key updating solicited message in entrained Transaction Identifier splicing, form the second character String;
Using the predetermined encryption algorithm, using second encryption information as encryption key, second character string is added It is close, generate second netkey.
3. system according to claim 1, which is characterized in that also carried in the key updating response message using peace Encrypted second timestamp of full key;
First equipment is specifically used for believing using key updating response described in the first network key pair by following step Operation is encrypted in the response mark carried in breath, generates first network cipher key encryption information:
XOR operation is carried out using response mark entrained in second timestamp and the key updating response message, it is raw At first key verification information;
Using first key verification information encryption is carried out described in the first network key pair, generates the first network key and add Confidential information;
Second equipment especially by following step to be updated successfully the first network cipher key encryption information carried in information into Row verification:
Using second netkey to first network cipher key encryption information entrained in the key updating successful information It is decrypted, obtains the first key verification information;And
It is close that second timestamp progress XOR operation preserved with second equipment using response mark obtains second Key verification information;
Whether the first key verification information and the second key authentication information that detection decryption obtains are consistent;
If the two is consistent, it is verified.
4. system according to claim 1, which is characterized in that the key updating solicited message also carries safe to use The encrypted first time stamp of key;
Second equipment terminates letter specifically for passing through following step based on second netkey generation key updating Breath:
XOR operation is carried out using things mark, first time stamp, generates third key authentication information;
The third key authentication information is encrypted using second netkey, generates the second netkey encryption letter Breath;
Generate the key updating ending message;The second netkey encryption letter is carried in the key updating ending message Breath;
First equipment is specifically used for through key described in the first network key pair of the following step based on the generation Update ending message is verified:
The second network that key updating ending message carries described in the first network key pair generated using first equipment is close Key encryption information is decrypted, and obtains the third key authentication information;
And
The first time stamp preserved using the things mark, first equipment that generate at random carries out XOR operation, obtains the 4th Key authentication information;
It detects the obtained third key authentication information and whether the 4th key authentication information is consistent;
If the two is consistent, it is verified.
5. system according to claim 1, which is characterized in that the key updating solicited message also carries safe to use The encrypted first time stamp of key;
Second equipment is additionally operable to after receiving the key updating solicited message, and is generated the key updating and answered Before answering information, the encrypted first time stamp is decrypted using the security key, obtains the first time stamp, and Whether the time difference detected between the first time stamp and current time is less than poor threshold value of preset first time;In detection institute It states and is stabbed at the first time the time difference between current time less than after poor threshold value of preset first time, generate the key updating Response message;
The second timestamp using the secure key encryption is also carried in the key updating response message;
First equipment is additionally operable to after receiving the key updating response message, and is generated key updating and successfully believed Before breath, encrypted second timestamp is decrypted, obtains second timestamp, and detect second timestamp and work as Whether the time difference between the preceding time is less than preset second time difference threshold value;Detect second timestamp with it is current when Between between time difference be less than preset second time difference threshold value after, generate key updating successful information;
The third timestamp using the secure key encryption is also carried in the key updating successful information;
Second equipment is additionally operable to after receiving the key updating successful information, and generates the key updating knot Before beam information, encrypted third timestamp is decrypted using the security key, obtains the third timestamp, and examine Whether the time difference surveyed between the third timestamp and current time is less than preset third time difference threshold value;Described in detection After time difference between third timestamp and current time is less than preset third time difference threshold value, the key updating knot is generated Beam information;
Encrypted 4th timestamp of key safe to use is also carried in the key updating ending message;
First equipment, is additionally operable to after receiving key updating ending message, and is using the first network generated Before key updating ending message described in key pair is verified, encrypted 4th timestamp is carried out using the security key Decryption obtains the 4th timestamp, and detects whether the time difference between the 4th timestamp and current time is less than in advance If the 4th time difference threshold value;When detecting the time difference between the 4th timestamp and current time less than the preset 4th Between after poor threshold value, the key updating ending message is verified.
6. system according to claim 1, which is characterized in that also carry the first body in the key updating solicited message Part authentication information;
The identity information of first equipment is generated in advance in first equipment;First authentication information is described first Equipment carries out 1 Hash operation to the identity information and obtains;
Second equipment pre-saves the identity information of first equipment;
Second equipment is additionally operable to before generating key updating response message, to first equipment that pre-saves Identity information carries out 1 Hash operation, and detects the identity information for the first equipment for having carried out 1 Hash operation and the key Whether the first authentication information carried in update solicited message is consistent;The first of 1 Hash operation has been carried out detecting After the identity information of equipment is consistent with the first authentication information carried in the key updating solicited message of acquisition, generate The key updating response message;
And
The second authentication information of second equipment is also carried in the key updating response message;
The identity information of second equipment is generated in advance in second equipment;Second authentication information is described the The identity information of two equipment carries out 1 Hash operation and obtains;
First equipment pre-saves the identity information of second equipment;
First equipment is additionally operable to before generating key updating successful information, is carried out to the identity information of second equipment 1 Hash operation, and detect the identity information for the second equipment for having carried out 1 Hash operation and the key updating response message Whether the second authentication information of middle carrying is consistent;In the identity letter for detecting the second equipment for having carried out 1 Hash operation After breath is consistent with the second authentication information carried in the key updating solicited message obtained, the key updating is generated Successful information.
7. a kind of network cryptographic key updating method, which is characterized in that the first equipment for executing network cryptographic key updating, this method packet It includes:
Key updating solicited message is generated, and the key updating solicited message is sent to the second equipment, the key updating It is carried in solicited message:Using security key as encryption key, and identified using the encrypted things of predetermined encryption algorithm;It is described close Key update solicited message is used to indicate second equipment and generates key updating response message;
Receive the key updating response message that second equipment is sent;The peace is carried in the key updating response message Full key is encryption key, and is identified using the response that the predetermined encryption algorithm is encrypted;
The go-between consulted in advance preserved based on the security key, first equipment and second equipment is close The response mark that key, things mark, the key updating response message carry, generates first network key;
Using the first network key, operation is encrypted to the response mark carried in the key updating response message, First network cipher key encryption information is generated, and the first network cipher key encryption information is carried in key updating successful information It is sent to second equipment;
The key updating that second equipment is sent after being verified the first network cipher key encryption information is received to terminate Information, and verified using the first network key pair key updating ending message, if being verified, it is close to complete network Key renewal process.
8. a kind of network cryptographic key updating method, which is characterized in that the second equipment for executing network cryptographic key updating, this method packet It includes:
After receiving the key updating solicited message, key updating response message is generated, and by the key updating response message It is sent to the first equipment;It is carried in the key updating response message:Using security key as encryption key, and added using default Close algorithm, the response mark being encrypted;
Things mark, the security key, first equipment and described the carried based on the key updating solicited message The go-between key of two equipment preservation consulted in advance, response mark, generate the second netkey;
Using second netkey, letter is encrypted to the first network key carried in the key updating successful information that receives Operation is decrypted in breath, obtains the first network cipher key encryption information;
The first network cipher key encryption information is verified, after being verified, key updating is generated based on second netkey Ending message, and send the key updating ending message to first equipment.
9. a kind of network cryptographic key updating device, which is characterized in that the netkey for being made of the first equipment and the second equipment More new system;The first interactive module is installed in first equipment;The second interactive module is installed in second equipment;
First interactive module, is used for:Key updating solicited message is generated, and the key updating solicited message is sent to Second interactive module carries in the key updating solicited message:Using security key as encryption key, and use predetermined encryption The things of algorithm for encryption identifies;The key updating solicited message is used to indicate the second interactive module generation key updating and answers Answer information;Receive the key updating response message that second interactive module is sent;It is carried in the key updating response message It is encryption key to have the security key, and is identified using the response that the predetermined encryption algorithm is encrypted;Based on the peace It is the go-between key consulted in advance that full key, first interactive module are preserved with second interactive module, described The response mark that things mark, the key updating response message carry, generates first network key;Use described first Netkey is encrypted operation to the response mark carried in the key updating response message, generates first network key Encryption information, and the first network cipher key encryption information is carried and is sent to second friendship in key updating successful information Mutual module;Receive key that second interactive module is sent after being verified to the first network cipher key encryption information more New ending message, and verified using the first network key pair key updating ending message, if being verified, complete Network cryptographic key updating process.
10. a kind of network cryptographic key updating device, which is characterized in that for what is be made of the first interactive module and the second interactive module Network cryptographic key updating system;First interactive module is installed in the first equipment;Second interactive module is installed in the second equipment;
Second interactive module, is used for:After receiving the key updating solicited message, key updating response message is generated, and The key updating response message is sent to first interactive module;It is carried in the key updating response message:With Security key is encryption key, and uses predetermined encryption algorithm, the response mark being encrypted;It is asked based on the key updating Things mark, the security key, first interactive module of information carrying preserve advance with second interactive module The go-between key that consults, response mark, generate the second netkey;Use second netkey, docking Operation is decrypted in the first network cipher key encryption information carried in the key updating successful information received, obtains first net Network cipher key encryption information;The first network cipher key encryption information is verified, after being verified, is given birth to based on second netkey The key updating ending message is sent at key updating ending message, and to first equipment.
CN201810693901.1A 2018-06-29 2018-06-29 System, method and device for updating network key Active CN108449756B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810693901.1A CN108449756B (en) 2018-06-29 2018-06-29 System, method and device for updating network key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810693901.1A CN108449756B (en) 2018-06-29 2018-06-29 System, method and device for updating network key

Publications (2)

Publication Number Publication Date
CN108449756A true CN108449756A (en) 2018-08-24
CN108449756B CN108449756B (en) 2020-06-05

Family

ID=63206900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810693901.1A Active CN108449756B (en) 2018-06-29 2018-06-29 System, method and device for updating network key

Country Status (1)

Country Link
CN (1) CN108449756B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274490A (en) * 2018-09-25 2019-01-25 苏州科达科技股份有限公司 SRTP code stream master key update method, system, equipment and storage medium
CN109544747A (en) * 2018-11-20 2019-03-29 北京千丁互联科技有限公司 Encryption key update method, system and the computer storage medium of intelligent door lock
CN111193592A (en) * 2018-11-14 2020-05-22 银联国际有限公司 Public key updating method between two systems
CN111355684A (en) * 2018-12-20 2020-06-30 中移(杭州)信息技术有限公司 Internet of things data transmission method, device and system, electronic equipment and medium
CN111526128A (en) * 2020-03-31 2020-08-11 中国建设银行股份有限公司 Encryption management method and device
CN111585939A (en) * 2019-02-18 2020-08-25 深圳市致趣科技有限公司 Method and system for end-to-end identity authentication and communication encryption between Internet of things devices

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970679A (en) * 2012-11-21 2013-03-13 联想中望系统服务有限公司 Identity-based safety signature method
CN103297963A (en) * 2013-05-10 2013-09-11 无锡北邮感知技术产业研究院有限公司 Certificateless-based M2M (Machine to machine) privacy protection and key management method and certificateless-based M2M privacy protection and key management system
CN107104932A (en) * 2016-02-23 2017-08-29 中兴通讯股份有限公司 Key updating method, apparatus and system
CN107294932A (en) * 2016-04-12 2017-10-24 中国电信股份有限公司 Method and server for centralized control type key management
CN108173808A (en) * 2017-11-30 2018-06-15 华东师范大学 A kind of lightweight dynamic key data encryption device and method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970679A (en) * 2012-11-21 2013-03-13 联想中望系统服务有限公司 Identity-based safety signature method
CN103297963A (en) * 2013-05-10 2013-09-11 无锡北邮感知技术产业研究院有限公司 Certificateless-based M2M (Machine to machine) privacy protection and key management method and certificateless-based M2M privacy protection and key management system
CN107104932A (en) * 2016-02-23 2017-08-29 中兴通讯股份有限公司 Key updating method, apparatus and system
CN107294932A (en) * 2016-04-12 2017-10-24 中国电信股份有限公司 Method and server for centralized control type key management
CN108173808A (en) * 2017-11-30 2018-06-15 华东师范大学 A kind of lightweight dynamic key data encryption device and method

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109274490A (en) * 2018-09-25 2019-01-25 苏州科达科技股份有限公司 SRTP code stream master key update method, system, equipment and storage medium
CN111193592A (en) * 2018-11-14 2020-05-22 银联国际有限公司 Public key updating method between two systems
CN109544747A (en) * 2018-11-20 2019-03-29 北京千丁互联科技有限公司 Encryption key update method, system and the computer storage medium of intelligent door lock
CN111355684A (en) * 2018-12-20 2020-06-30 中移(杭州)信息技术有限公司 Internet of things data transmission method, device and system, electronic equipment and medium
CN111355684B (en) * 2018-12-20 2022-06-28 中移(杭州)信息技术有限公司 Internet of things data transmission method, device and system, electronic equipment and medium
CN111585939A (en) * 2019-02-18 2020-08-25 深圳市致趣科技有限公司 Method and system for end-to-end identity authentication and communication encryption between Internet of things devices
CN111585939B (en) * 2019-02-18 2023-04-14 深圳市致趣科技有限公司 End-to-end identity authentication and communication encryption method and system between Internet of things devices
CN111526128A (en) * 2020-03-31 2020-08-11 中国建设银行股份有限公司 Encryption management method and device

Also Published As

Publication number Publication date
CN108449756B (en) 2020-06-05

Similar Documents

Publication Publication Date Title
US10785019B2 (en) Data transmission method and apparatus
CN107404461B (en) Data secure transmission method, client and server method, device and system
CN108449756A (en) A kind of system of network cryptographic key updating, method and device
CN108347419A (en) Data transmission method and device
CN109309565A (en) A kind of method and device of safety certification
CN103546289B (en) USB (universal serial bus) Key based secure data transmission method and system
CN110213041A (en) Data ciphering method, decryption method, device, electronic equipment and storage medium
CN105991285A (en) Identity authentication methods, devices and system applied to quantum key distribution process
CN106341228B (en) A kind of virtual machine migration method, system and virtual machine move into end and end of moving out
CN106612180A (en) Method and device for realizing session identifier synchronization
CN110365662B (en) Business approval method and device
CN110635901B (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN109818747A (en) Digital signature method and device
CN110224834A (en) Identity identifying method, decryption and ciphering terminal based on dynamic token
CN105871805A (en) Anti-stealing-link method and device
CN108549824A (en) A kind of data desensitization method and device
CN109767218A (en) Block chain certificate processing method and system
CN108199847A (en) Security processing method, computer equipment and storage medium
CN109005184A (en) File encrypting method and device, storage medium, terminal
CN108599926A (en) A kind of HTTP-Digest modified AKA identity authorization systems and method based on pool of symmetric keys
CN106897631A (en) Data processing method, apparatus and system
CN111130799B (en) Method and system for HTTPS protocol transmission based on TEE
CN110049032A (en) A kind of the data content encryption method and device of two-way authentication
CN106161363B (en) SSL connection establishment method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant