CN108471352A

CN108471352A - Processing method, system, computer equipment based on distributed private key and storage medium

Info

Publication number: CN108471352A
Application number: CN201810220635.0A
Authority: CN
Inventors: 张永强
Original assignee: Guangdong Authentication Technology Co Ltd; Age Of Security Polytron Technologies Inc
Current assignee: Guangdong Authentication Technology Co Ltd; Age Of Security Polytron Technologies Inc
Priority date: 2018-03-16
Filing date: 2018-03-16
Publication date: 2018-08-31
Anticipated expiration: 2038-03-16
Also published as: CN108471352B

Abstract

This application involves a kind of processing method, computer equipment and computer storage media based on distributed private key, the processing method based on distributed private key of one embodiment include：Receive the message that client is sent；When the message meets server-side private key component use condition, control instruction is sent to cipher machine, the control instruction carries related information, the control instruction is indicating the cipher machine according to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes server-side platform identification.This embodiment scheme is not necessarily to store magnanimity key in cipher machine, avoids the possibility that storage key is illegally obtained by third party, strengthens the safety of the private key component of distributed private key.

Description

Processing method, system, computer equipment based on distributed private key and storage medium

Technical field

This application involves technical field of cryptology, more particularly to a kind of processing method based on distributed private key, it is based on Processing system, computer equipment and the computer storage media of distributed private key.

Background technology

With the development of mobile Internet, realize that digital signature becomes active demand in mobile terminal.Due to mobile terminal Operating system be revisable untrusted running environment, in order in effective protection mobile terminal for signature private key for user, Many researchers propose the scheme that the collaboration based on distributed cipher key generates electronic signature.In this scenario, in communicating pair Storage section private key respectively, two sides joint, which such as could sign to message or decrypt at operations, the communicating pair, can not get Any information of other side's private key.But when implementing the technical solution of collaboration signature, it is necessary to take means realizing to client and The effective protection of the private key component of server-side, to resist the attack means such as monitor channel, client wooden horse.

Invention content

Based on this, it is necessary to provide a kind of processing method based on distributed private key, the processing system based on distributed private key System, computer equipment and computer storage media.

A kind of processing method based on distributed private key, the method includes the steps：

Receive the message that client is sent；

When the message meets server-side private key component use condition, control instruction, the control are sent to cipher machine Instruction carries related information, and the control instruction is indicating the cipher machine according to the related information and the cipher machine Symmetric key, generate server-side private key component, the related information includes server-side platform identification.

Client generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component Ciphertext, and send message to server-side；

Server-side receives the message that client is sent, and when the message meets server-side private key component use condition, Control instruction is sent to cipher machine, and the control instruction carries related information, and the control instruction is indicating the cipher machine According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes Server-side platform identification.

Client obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID Temporary key, and the client private key component ciphertext is decrypted using the client temporary key, obtain client private key Component, and send message to server-side；

A kind of processing system based on distributed private key, the system comprises clients and server-side；

The client generates client private key component, obtains CUSTOMER ID, and visitor is generated based on the CUSTOMER ID Family end temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key Component ciphertext, and send message to server-side；

The server-side receives the message that client is sent, and meets server-side private key component use condition in the message When, send control instruction to cipher machine, the control instruction carries related information, and the control instruction is indicating the password Machine generates server-side private key component, the related information packet according to the related information and the symmetric key of the cipher machine Include server-side platform identification.

The client obtains CUSTOMER ID and client private key component ciphertext, and visitor is generated based on the CUSTOMER ID Family end temporary key, and the client private key component ciphertext is decrypted using the client temporary key, obtain client Private key component, and send message to server-side；

A kind of computer equipment, including memory and processor are stored with computer program, the place on the memory The step of realizing the above method when device executes the computer program is managed, or realizes the client or clothes in method as described above The processing step at business end.

A kind of computer readable storage medium, is stored thereon with computer program, which realizes when being executed by processor The step of above method, or realize the processing step of the client or server-side in method as described above.

According to the scheme of embodiment as described above, server-side is when needing to use server-side private key component, by close The symmetric key of ink recorder is encrypted server-side platform identification and generates server-side private key component, without being stored in cipher machine Magnanimity key only need to store symmetric key in cipher machine, so that it may to generate corresponding server-side key components for numerous users, and The possibility that storage key is illegally obtained by third party is avoided, the safety of the private key component of distributed private key is strengthened.

Description of the drawings

Fig. 1 is the flow diagram of the processing method based on distributed private key in one embodiment；

Fig. 2 is the flow diagram of the processing method based on distributed private key in another embodiment；

Fig. 3 is the processing flow schematic diagram in the processing method based on distributed private key in one embodiment；

Fig. 4 is the flow diagram of the processing method based on distributed private key in another embodiment；

Fig. 5 is the processing flow schematic diagram in the processing method based on distributed private key in one embodiment；

Fig. 6 is the module diagram of the processing system based on distributed private key in another embodiment；

Fig. 7 is the internal structure schematic diagram of the computer equipment in one embodiment.

Specific implementation mode

It is with reference to the accompanying drawings and embodiments, right in order to make the object, technical solution and advantage of the application be more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, and It is not used in restriction the application.

The scheme of the embodiment of the present application is related to two equipment, is denoted as one He of equipment in the application of specific technology There is one private key component of equipment, equipment two to have two private key component of equipment for equipment two, equipment one, in collaboration signature and decryption, Equipment one is based on one private key component of equipment, equipment two is based on two private key component of equipment, and the mistake of signature and decryption is completed in the two collaboration Journey.In some embodiments, equipment one can be terminal, and equipment two can be server, to realize terminal and server it Between collaboration signature and decryption process.Equipment one, equipment two can be specifically terminal console, mobile terminal, Intelligent wearable Equipment and it is other can or the equipment to cooperate with signature or decryption can be only when equipment two is server The server cluster of the either multiple server compositions of vertical server.

As shown in Figure 1, the processing method based on distributed private key in one embodiment includes the following steps S101 and step Rapid S102, this method can be applied to server.

Step S101：Receive the message that client is sent.

Wherein, the message that client is sent can be any possible message, as long as the message that client is sent can refer to Show or trigger server-side and executes and the relevant operation of server-side private key component.In one embodiment, which sends The message can be the message sent during indicating that server-side generates server-side private key, can also be to execute number The message that word is signed or sent during decrypting.In different technology scenes, the information for including in the message can have Institute is different.

In one embodiment, can only include that can indicate or trigger server-side to hold in the message that client is sent Row and the relevant operation of server-side private key component.

In one embodiment, may include user identifier in the message that client is sent.To by the message Include user identifier, server-side can subsequently be based on the user identifier and generate server-side private key point corresponding with the user identifier Amount, so as to generate different server-side private key components for different users.

In one embodiment, may include key identification in the message that client is sent.To by the message Include key identification, server-side can subsequently be based on the key identification and generate server-side private key point corresponding with the key identification Amount, so as to generate different server-side private key components, the different server-side private keys of generation based on different key identifications Component can use different purposes.

In one embodiment, can also include user identifier and key identification simultaneously in the message that client is sent. To by the way that including user identifier and key identification, server-side can subsequently be based on the user identifier and key mark within the message Know, generate corresponding from the user identifier different server-side private key component, the different server-side private key components of generation can be with For the different purposes corresponding to the user identifier.

Step S102：When the message meets server-side private key component use condition, control instruction is sent to cipher machine, The control instruction carries related information, and the control instruction is indicating the cipher machine according to the related information and institute The symmetric key of cipher machine is stated, generates server-side private key component, the related information includes server-side platform identification.

Wherein, which can do different settings, as long as the message can trigger service It holds to cipher machine and sends above-mentioned control instruction.

As in one embodiment, which can be that client cooperates with the mistake for generating server-side private key component with server-side Related news in journey.

In another embodiment, which can be the mistake that client cooperates with encryption, signature or decryption with server-side Related news in journey.For being signed, which can be signature command, which is used to indicate password Machine generates server-side private key component according to related information and the symmetric key of cipher machine, and based on server-side private key component into Row digital signature, and then can indicate that cipher machine generates server-side private key component during executing digital signature.To, Server-side completes the generating process of server-side private key component, the server where server-side during executing digital signature really With cipher machine without storing the server-side private key component generated, need to assist with the user of multiple and different user terminals in server-side In the case of signature, server-side and cipher machine are not necessarily to store the server-side private key component of magnanimity, further improve safety.

In one embodiment, when the message sent in above-mentioned client includes user identifier, which may be used also To include the user identifier.At this point, be based on the control instruction, cipher machine be based on server-side platform identification, user identifier and The symmetric key of cipher machine generates server-side private key component.To which server-side can be based on the user identifier and generate and the user Corresponding server-side private key component is identified, can be that different users generates different server-side private key components accordingly.

In one embodiment, when the message sent in above-mentioned client includes key identification, which also wraps Include the key identification.At this point, being based on the control instruction, cipher machine is to be based on server-side platform identification, cipher mark and password The symmetric key of machine generates server-side private key component.To which server-side can generate different clothes based on different key identifications Business end private key component, the different server-side private key components of generation can use different purposes.

It in one embodiment, should in the message that client is sent while when including user identifier and key identification Related information also includes the user identifier and key identification simultaneously.At this point, being based on the control instruction, cipher machine is to be based on server-side The symmetric key of platform identification, user identifier, cipher mark and cipher machine generates server-side private key component.To server-side It can be based on the user identifier and key identification, generate different server-side private key component corresponding from the user identifier, generated Different server-side private key components, can be used for the different purposes corresponding to the user identifier.

The server-side private key component of above-mentioned generation can be limited to export from cipher machine with plaintext version, can also It is limited to not allow to be stored in non-volatile holographic storage component, to further strengthen the protection to server-side private key component, into One step reinforces safety.

Above-mentioned server-side platform identification can be determined based on any possible mode.In one embodiment, it is above-mentioned to Can also include step before cipher machine sends control instruction：Generate server-side platform identification.Generating server-side platform identification can By using it is any it is possible in a manner of carry out, such as in one embodiment, can by random number generator generate a random number, And using the random number as the server-side platform identification, to reinforce the randomness of the server-side platform identification obtained, to reinforce Randomness based on the server-side private key component that server-side platform identification generates, further strengthens.In another embodiment, may be used With the relevant information based on server-side, which is generated using certain algorithm.

In one embodiment, can also include step after above-mentioned transmission control instruction：

It is sent to cipher machine and destroys instruction, destruction instruction is private to indicate the server-side in the cipher machine destruction memory Key component copy.To after using server-side private key component each time, all destroy the server-side private key component in memory Copy, once after destroying, it is necessary to the verification process for executing the pairing of client private key component could restore server-side private again Key component is avoided unauthorized server-side and applied and divided using the server-side private key of some user by sending instructions to cipher machine Amount, to further strengthen safety.

The following is a detailed description of one of the examples.In this example, it is related to server-side private key component Generation, the use of server-side private key component and the protection of server-side private key component.

In order to generate server-side private key component, server-side generates a server-side platform identification PlatformID, and close The symmetric key X of a symmetric encipherment algorithm is generated and stored inside ink recorder.One with regard to the server-side private key in specific example point The product process of amount can be discussed further below：

User identifier UserID and the key identification KeyID, user identifier UserID that client is sent are received to mark Know different users, for key identification KeyID to distinguish different keys, a key identification corresponds to a client private key Component and a server-side private key component.

Then, server-side calls encryption equipment interface, and server-side platform identification PlatformID, user are based on inside encryption equipment Mark UserID, key identification KeyID and symmetric key X calculate the server-side private key component d that length is klen bits₂, It can be expressed as with formula：

Seed=Encrypt (PlatformID | | UserID | | KeyID, X)；

₂=KDF (seed, klen).

Wherein, Encrypt is symmetric encipherment algorithm, and symmetric key X is used to be encrypted, and used algorithm can be Any possible symmetric encipherment algorithm, such as DES (Data Encryption Algorithm, data encryption algorithm), AES (Advanced Encryption Standard, Advanced Encryption Standard), SM4 (block cipher) etc..KDF is key derivation Algorithm can be specifically the function that PKCS#5 standards define, or《GM/T 0003.4-2012SM2 ellipse curve public key ciphers The 4th part of algorithm：Public key encryption algorithm》Defined in key derivation algorithm etc..

During using server-side private key component, server-side private key component need to be recovered, to use server-side private key Component.Process and the process of above-mentioned generation server-side private key component for recovering server-side private key component are completely the same.Specific Technology application scenarios in, may not need special flow and generate server-side private key component, but needing it is private using server-side When key component, then by cipher machine generation server-side private key component, to which server-side and cipher machine are not necessarily to store the key of magnanimity Data.

By taking digital signature as an example, but during executing digital signature, server-side is in the use for obtaining client transmission After family identifies UserID and key identification KeylD, server-side calls encryption equipment interface, and server-side platform mark is based on inside encryption equipment It is klen bits to know PlatformID, user identifier UserID, key identification KeyID and symmetric key X to calculate length Server-side private key component d₂, and the server-side private key component d based on generation₂Complete digital signature procedure.

Wherein, in order to form the effective protection to private key component, in specific implementation, it can limit and ensure calculated clothes Be engaged in end private key component d₂It cannot be exported outside cipher machine with plaintext version, and limit and ensure the server-side private key that cipher machine generates Component d₂Do not allow to be stored in non-volatile holographic storage component.On the other hand, it is performed in unison with digital signature in client and server-side Stage, server-side calculates private key component d inside cipher machine by sending instructions to cipher machine according to X₂, complete collaboration The step of signature.On the other hand, can also be no matter to calculate public key or carry out collaboration signature, all use service in cipher machine Hold private key component d₂Later, server-side destroys the server-side private key component in cipher machine memory by being sent the commands to cipher machine Copy.

The processing method based on distributed private key in one embodiment is related to client and server-side, wherein specific When technology is realized, client can refer to the application program of setting on the subscriber terminal, and server-side can refer to that setting is servicing The application program of device, as shown in Fig. 2, in one embodiment be related to client and the method for server-side includes the following steps S201 To step S202, the embodiment be combine client generate private key component scene for illustrate.

Step S201：Client generates client private key component, obtains CUSTOMER ID, is given birth to based on the CUSTOMER ID The client private key component is encrypted at client temporary key, and using the client temporary key, obtains client Private key component ciphertext, and send message to server-side.

Step S202：Server-side receives the message that client is sent, and meets server-side private key component in the message and make When with condition, control instruction is sent to cipher machine, the control instruction carries related information, and the control instruction is to indicate Cipher machine is stated according to the related information and the symmetric key of the cipher machine, generates server-side private key component, the association Information includes server-side platform identification.

Wherein, the processing procedure of the server-side in step S202 can be with the server in above-mentioned embodiment illustrated in fig. 1 Processing procedure is identical.

Above-mentioned steps S201 can be executed in subscriber terminal equipment, in one embodiment, as shown in figure 3, step S201 May include following step S2011 to step S2013.

Step S2011：CUSTOMER ID is obtained, client temporary key is generated based on the CUSTOMER ID.

The CUSTOMER ID can be PIN (the personal identification of user in one embodiment Number, personal identification number), which can be based on user and input acquisition.

When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment To the client temporary key.

In one embodiment, can also include step before above-mentioned acquisition CUSTOMER ID input by user：It obtains Device hardware parameter, device software parameter and equipment identities mark, and based on device hardware parameter, device software parameter and Equipment identities mark generates device-fingerprint information.

At this point, the step of generating client temporary key based on CUSTOMER ID includes：Based on CUSTOMER ID and equipment Finger print information generates client temporary key.In one example, the CUSTOMER ID input by user and equipment that can obtain refer to Line information is input parameter, and client temporary key is obtained by executing key derivation algorithm.

Wherein, in one example, further include step before above-mentioned acquisition equipment identities mark：Use generating random number Device generates equipment identities mark, and stores the equipment identities mark of generation, and equipment identities mark can be stored in non-volatile Property memory space, be read out during subsequent applications with facilitating.

In one embodiment, further include step before obtaining CUSTOMER ID input by user：Salt figure is generated, and Salt figure (the additional value added in cryptographic process) is stored, which can be stored in nonvolatile memory space, with Subsequent applications are facilitated to be read out in the process.

At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes：Based on CUSTOMER ID and The salt figure generates client temporary key.In one specific example, can be with the CUSTOMER ID input by user of acquisition with And the salt figure is input parameter, and the client temporary key is obtained by executing key derivation algorithm.To by introducing salt Value can be conducive to resist the attack of rainbow table, further strengthen safety.

In one embodiment, further include step before obtaining CUSTOMER ID input by user：Salt figure is generated, is deposited Store up the salt figure；And obtain device hardware parameter, device software parameter and equipment identities mark, based on device hardware parameter, The device software parameter and equipment identities mark generate device-fingerprint information.

At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes：It is identified based on the user Code, the salt figure and the device-fingerprint information generate the temporary key.Can be the use with acquisition in one specific example CUSTOMER ID, device-fingerprint information and salt figure of family input are input parameter, are obtained by executing key derivation algorithm The client temporary key.

In one embodiment, can also include step before obtaining CUSTOMER ID input by user：It generates random Integer, and the random integers are stored, which can be stored in nonvolatile memory space, to facilitate subsequent applications mistake It is read out in journey.

At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes：Based on CUSTOMER ID, hold The key derivation algorithm of row random integers time generates client temporary key.For example, using CUSTOMER ID as input parameter, execute The key derivation algorithm of random integers time generates client temporary key.To, by introduce random integers, can be conducive to Anti- rainbow table attack, further strengthens safety.

In one embodiment, can also include step before obtaining CUSTOMER ID input by user：Generate salt figure And random integers, and store salt figure and random integers.

At this point, the step of generating client temporary key based on CUSTOMER ID includes：Based on CUSTOMER ID and salt figure, The key derivation algorithm for executing random integers time generates client temporary key.

In one embodiment, random integers are being generated and be with CUSTOMER ID and device-fingerprint information are being input Parameter generate client temporary key in the case of, be using CUSTOMER ID and device-fingerprint information as input parameter, execute with The key derivation algorithm of machine integer time generates client temporary key.In one embodiment, generate at the same time salt figure and with Machine integer can be to obtain in the case of generating the temporary key based on CUSTOMER ID, salt figure and device-fingerprint information CUSTOMER ID input by user, device-fingerprint information and the salt figure be input parameter, execute the key of random integers time It derives from algorithm and generates client temporary key.

In one embodiment, can also include step before above-mentioned acquisition CUSTOMER ID input by user：It obtains Password authentication information input by user and identifying code；Password authentication information and identifying code are verified, and when being verified, display is used Family identification code input interface.It is thus possible to using the double authentication of password authentication and identifying code, it is correct in verification, Just allow to input CUSTOMER ID.In a specific example, the length and character types of password can also be defined, such as The length of password has to be larger than the first predetermined length, and character types must include capitalization, lowercase and number etc., with Implement high intensity verification.

It on the other hand, in one embodiment, can also be in continuous first pre-determined number password authentication information and identifying code It is obstructed out-of-date to verify, and locks the verification password authentication information and identifying code mechanism, that is, limiting not allows user to continue to execute response Flow, and unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and verification after unlock Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, and Second time period is more than first time period, and so on.

Step S2012：Generate client private key component.

The generating mode of client private key component is carried out using any possible mode.In one embodiment, Ke Yishi Random number is generated using randomizer, and using the random number as the client private key component.

Step S2013：Client private key component is encrypted using client temporary key, it is close to obtain client private key component Text.

When client private key component is encrypted using client temporary key, any possible encryption may be used Mode carries out.Such as client temporary key can be as symmetric key, by client temporary key to client private key Component executes symmetric cryptography, obtains client private key ciphertext.In one embodiment, the client private key ciphertext of acquisition can preserve Nonvolatile memory space inside the spacing container of client.

In one embodiment, in digital signature procedure, after being digitally signed based on client private key component, also The copy of the client private key component in memory can be destroyed.To avoid the client private key component in memory copy by other people The possibility known, to further strengthen safety.

In one embodiment, can also include step before being digitally signed：Service for checking credentials end private key component with Whether client private key component matches, to avoid unauthorized use server-side private key component.

As shown in figure 4, the method for being related to client and server-side in one embodiment includes the following steps S401 to walking Rapid S402, the embodiment are illustrated for decrypting to obtain the scene of client private key component in conjunction with client.

Step S401：Client obtains CUSTOMER ID and client private key component ciphertext, is based on the CUSTOMER ID Client temporary key is generated, and the client private key component ciphertext is decrypted using the client temporary key, is obtained Client private key component, and send message to server-side.

Step S402：Server-side receives the message that client is sent, and meets server-side private key component in the message and make When with condition, control instruction is sent to cipher machine, the control instruction carries related information, and the control instruction is to indicate Cipher machine is stated according to the related information and the symmetric key of the cipher machine, generates server-side private key component, the association Information includes server-side platform identification.

Wherein, the processing procedure of the server-side in step S402 can be with the server in above-mentioned embodiment illustrated in fig. 1 Processing procedure is identical.

Above-mentioned steps S401 can be executed in subscriber terminal equipment, in one embodiment, under step S401 may include Step S4011 is stated to step S4012.

Step S4011：CUSTOMER ID and client private key component ciphertext are obtained, visitor is generated based on the CUSTOMER ID Family end temporary key.

Wherein, which can directly read from memory space.The CUSTOMER ID is in one embodiment In can be user PIN (personal identification number, personal identification number), which can be with It is inputted and is obtained based on user.

In one embodiment, it is above-mentioned client temporary key is generated based on the CUSTOMER ID before, can be with Including step：Device hardware parameter, device software parameter and equipment identities mark are read, and is based on device hardware parameter, sets Standby software parameters and equipment identities mark generate device-fingerprint information.

In one embodiment, further include step before generating client temporary key based on the CUSTOMER ID： Read the salt figure (the additional value added in cryptographic process) of storage.

At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes：Based on CUSTOMER ID and The salt figure read generates client temporary key.In one specific example, it can be identified with the user input by user of acquisition Code and the salt figure are input parameter, and the client temporary key is obtained by executing key derivation algorithm.To by introducing salt Value can be conducive to resist the attack of rainbow table, further strengthen safety.

In one embodiment, further include step before generating client temporary key based on CUSTOMER ID：It reads The salt figure of storage；And read device hardware parameter, device software parameter and equipment identities mark, based on device hardware parameter, The device software parameter and equipment identities mark generate device-fingerprint information.

In one embodiment, before generating client temporary key based on the CUSTOMER ID, can also include Step：Read the random integers of storage.

At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes：Based on CUSTOMER ID, hold The key derivation algorithm of row random integers time generates client temporary key.To by introducing random integers, be conducive to The attack of rainbow table is resisted, safety is further strengthened.

In one embodiment, before generating client temporary key based on the CUSTOMER ID, can also include Step：Read the salt figure and random integers of storage.

It is appreciated that in the case where generating client temporary key using CUSTOMER ID as input parameter, Ke Yishi Using CUSTOMER ID as input parameter, the key derivation algorithm for executing random integers time generates client temporary key.At one In embodiment, is having read random integers and be that client is generated as input parameter using CUSTOMER ID and device-fingerprint information It is to execute the key of random integers time using CUSTOMER ID and device-fingerprint information as input parameter in the case of temporary key It derives from algorithm and generates client temporary key.In one embodiment, salt figure and random integers are had read at the same time, are based on user Can be known with the user input by user of acquisition in the case that identification code, salt figure and device-fingerprint information generate temporary key Other code, device-fingerprint information and the salt figure are input parameter, and the key derivation algorithm for executing random integers time generates client Temporary key.

Step S4012：The client private key component ciphertext is decrypted using the client temporary key, obtains client Hold private key component.

When client private key component is decrypted using client temporary key, any possible decryption side can be used Formula carries out, as long as can be corresponding with cipher mode.Such as the client temporary key can be symmetric key, be faced by client When key pair client private key component execute symmetrical decryption, obtain client private key component.

The following is a detailed description of one of the examples.In this example, it is related to client private key component Generation, the use of client private key component and the protection of client private key component.

The process for generating client private key component may include following step A1 to step A4.

Step A1：Generate related non-sensitive parameter.Non-sensitive parameter in one embodiment includes salt figure Salt, random whole Number Rounds and equipment identities identify UUID.

Salt figure Salt：Client available random number generator generates salt figure Salt.

Random integers Rounds：Client available random number generator generates a random integers Rounds, this is random whole Number Rounds can be used as the iterations of cipher key derivation function KDF.

Equipment identities identify UUID：Client available random number generator generates the equipment identities for identifying equipment identities Identify UUID.

Salt figure Salt, the random integers Rounds and equipment identities of generation identify UUID, can be stored in user terminal Non-volatile holographic storage inside the spacing container of client (such as mobile terminal APP (Application, third party application)) is empty Between.

Step A2：Generate device-fingerprint information MobileID.

When specific implementation, client can slave mobile device client spacing container nonvolatile memory space in read Take related hardware parameter SysInfo1, hardware parameter SysInfo1 may include CPU (Central Processing Unit, Central processing unit) hardware parameters such as type, CPU number.

In addition, the related software parameters SysInfo2 of the terminal device at place, software parameters can be read in client SysInfo2 may include the related software parameters such as OS Type.

In addition, client can slave mobile device client spacing container nonvolatile memory space in read equipment Identity UUID.

It is appreciated that reading the mistake of hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID Journey in no particular order sequentially as long as before following specific computing device fingerprint information M obileID, can read hardware Parameter SysInfo1, software parameters SysInfo2 and equipment identities identify UUID.

It then, will after hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID being concatenated Parameter after concatenation is as input, and executive summary algorithm calculates device-fingerprint information MobileID, the device-fingerprint information MobileID can be the information of 256 bits, can be expressed as：

MobileID=Hash (SysInfo1 | | SysInfo2 | | UUID).

Wherein, digest algorithm Hash can be any possible digest algorithm, as MD5 (Message Digest Algorithm 5), SHA256 (Secure Hash Algorithm, secure hash algorithm), SM3 (a kind of cryptographic Hash algorithm) etc..

Step A3：Generate temporary key TK.

Client shows CUSTOMER ID input interface, prompts user to input CUSTOMER ID (PIN code), and obtain user The CUSTOMER ID of input.In addition, the nonvolatile memory space of the spacing container of the client of client also slave mobile device Middle reading salt figure Salt and random integers Rounds.

Then, after CUSTOMER ID (PIN code), salt figure Salt, device-fingerprint information MobileID being concatenated, after concatenation Information as input parameter, execute random integers Rounds secondary keys and derive from algorithm and obtain temporary key TK, formula can be with table It is shown as：

TK=KDF (PIN | | Salt | | MobileID, Rounds).

Step A4：It generates client private key component and encrypts storage.

Client generates random number with randomizer, and using the random number as client private key component d₁。

Then, client is with client private key component d₁As input, executed using temporary key TK as symmetric key Symmetric encipherment algorithm (such as AES, SM4), to client private key component d₁It is encrypted, obtains client private key component ciphertext SD1.Any encryption mode (such as ECB/CBC/OFB) may be used in specific cipher mode.

The client private key component ciphertext SD1 of acquisition, is stored in the isolation of the client (such as mobile terminal App) of user terminal Nonvolatile memory space inside container.

During using client private key component, client private key component need to be recovered, to use client private key Component.The process for recovering client private key component may include following step B1 to step B4.

Step B1：Extracting parameter.

In one specific example, the parameter of extraction may include：Salt figure Salt, random integers Rounds, equipment identities mark Know UUID and client private key component ciphertext SD1.

Step B2：Extraction equipment fingerprint information M obileID.

When specific implementation, client can slave mobile device client spacing container nonvolatile memory space in read Related hardware parameter SysInfo1 is taken, and reads the related software parameters SysInfo2 of the terminal device at place, slave mobile device Client spacing container nonvolatile memory space in read equipment identities identify UUID.

It then, will after hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID being concatenated For parameter after concatenation as input, executive summary algorithm calculates device-fingerprint information MobileID.

Step B3：Generate temporary key TK.

TK=KDF (PIN | | Salt | | MobileID, Rounds).

Step B4：Calculate client private key component.

Client is executed using client private key component ciphertext SD1 as input, using temporary key TK as symmetric key Client private key component ciphertext SD1 is decrypted in the decipherment algorithm (such as AES, SM4) of symmetric cryptography, and it is private to obtain client Key component d₁It is encrypted.

Obtain client private key component d₁Afterwards, the processes such as the relevant encryption of the execution, signature, decryption can be used.

Wherein, in order to form the effective protection to private key component, specific implementation when, may be used following corresponding strategies into Row.

In one embodiment, password authentication can be used in client (such as App) of user's login user terminal The dual factors of+identifying code are verified, which can be specifically short message verification code.Wherein, password authentication can be assisted using CHAP The Password Authentication Protocol (such as SRP-6) that view or IEEE P1363 are defined.Under the conditions of verification password is correct, just show PIN code input interface just allows to input PIN code to call client private key component.

One embodiment wherein can implement authentication policy to the intensity of user password and PIN code, such as require PIN code Meet condition：One, length are more than the first predetermined length or length within the scope of predetermined length, if length is 8~12 words Symbol；Secondly, need to include capitalization, lowercase and number simultaneously；Thirdly, pass through preset list and carry out weak passwurd inspection.

In one of the embodiments, after executing collaboration signature algorithm each time, client is destroyed in memory immediately Client private key component d₁Any copy.

Client recovers client private key component d in one of the embodiments,₁Later, collaboration signature etc. is being executed Before step, it need to further verify whether client private key component matches with server-side private key component.Only in matched condition Under, client private key component d could be used₁Signature operation is participated in, to utilize reliable and secure server-side private key component d₂Come real Now the enhancing of user identity is verified.Verifying the specific implementation of private key component pairing, the present embodiment does not limit, such as can be with With reference to 15843 standards of GB/T.

In password authentication flow, and in the private key component pairing flow in collaboration signature stage, server-side can be real Apply the abnormality processing measure of authentification failure.The identifying procedure of the first pre-determined number (such as 3 times) mistake is such as continuously performed, then server-side It limits the user and continues to execute corresponding flow, just allow to continue after forcing it to wait for the first predetermined amount of time (such as 1 minute) Operation.If continuous second pre-determined number occurs again after unlocking, and (second pre-determined number and the first pre-determined number can be with Identical, can also be different, can also such as be set as 3 times) certification of mistake, then continue to lock, and the time locked can be added Times, and so on.If client has successfully completed primary certification, the error lock delaying policy of respective account is released.

In summary content, the scheme of each embodiment of the application as described above, safety is improved by following manner Energy.

Server-side private key component d is protected by using the cipher machine for meeting safe three-level₂Even if having leaked client private Key component d₁, attacker can not also obtain complete private key d.

Client private key component d is generated using the random number generator for meeting the close random number inspection criterion of state₁, utilize The temporary key TK that PIN code derives from carrys out encipherment protection client private key component d₁。

By the verification to PIN code intensity, be conducive to resist offline dictionary attack.And by introducing salt figure Salt, random Integer Rounds is conducive to resist the attack of rainbow table.

During deriving from temporary key TK using PIN code, the KDF algorithms of random integers Rounds times are executed, it will The considerable execution time is consumed, this implements offline enumerate or dictionary attack increases difficulty to attacker.In the present embodiment side In case, the space of enumerating of PIN code includes at least 62⁸Kind situation, it is assumed that calculate a KDF iteration and consume 100 milliseconds, then enumerate big About need 2.2 × 10¹⁶Millisecond (~6900th century).

By increasing the verification step of client and the pairing of server-side private key component, the certification to client identity is increased Intensity, while can be to avoid unauthorized use server-side private key component.

By password is responsible for/user password certification, client and server-side private key component match reciprocity online verification flow The abnormal implement general plan control measure of mistake so that attacker can not implement online enumerate or dictionary is attacked within the acceptable time It hits.

The dual factors verification of entry password+short message verification code is used in the client of user's login user terminal.And The protection PIN of the entry password of user role and certificate and private key is kept completely separate, password is avoided and participates in generation/recovery client The calculating process of private key component.

As shown in figure 5, the processing system based on distributed private key in one embodiment includes client 1 and server-side 2. Wherein, by taking client generates the scene of private key component as an example, at this time：

Client 1 generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component Ciphertext, and send message to server-side；

Server-side 2 receives the message that client 1 is sent, and meets server-side private key component use condition in the message When, send control instruction to cipher machine, the control instruction carries related information, and the control instruction is indicating the password Machine generates server-side private key component, the related information packet according to the related information and the symmetric key of the cipher machine Include server-side platform identification.

With reference to figure 5, in one embodiment, server-side 2 includes server-side communication module 21 and private key component processing control mould Block 22.

Server-side communication module 21, the message for receiving client transmission.The message that client is sent can be any Possible message, as long as the message that client is sent can indicate or trigger server-side, execution is related to server-side private key component Operation.In one embodiment, the message which sends can be close in instruction server-side generation server-side private key The message sent during key can also be the message sent during executing digital signature or decryption.In difference Technology scene in, the information for including in the message can be different.

Private key component processing and control module 22, for when the message meets server-side private key component use condition, to Cipher machine sends control instruction, and the control instruction carries related information, and the control instruction is indicating the cipher machine root According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes clothes Station identification is held in business level with both hands.

In another embodiment, which can be the mistake that client cooperates with encryption, signature or decryption with server-side Related news in journey.For being signed, which can be signature command, which is used to indicate password Machine generates server-side private key component according to related information and the symmetric key of cipher machine, and based on server-side private key component into Row digital signature.It is thus possible to during executing digital signature, instruction cipher machine generates server-side private key component.To, Server-side completes the generating process of server-side private key component, the server where server-side during executing digital signature really With cipher machine without storing the server-side private key component generated, need to assist with the user of multiple and different user terminals in server-side In the case of signature, server-side and cipher machine are not necessarily to store the server-side private key component of magnanimity, further improve safety.

In one embodiment, when the message sent in above-mentioned client includes user identifier, which may be used also To include the user identifier.At this point, be based on the control instruction, cipher machine be based on server-side platform identification, user identifier and The symmetric key of cipher machine generates server-side private key component.To which server-side can be based on the user identifier and generate and the user Corresponding server-side private key component is identified, so as to generate different server-side private key components for different users.

With reference to figure 5, in one embodiment, server-side 2 further includes：Platform identification generation module 23, it is described for generating Server-side platform identification.Generation server-side platform identification may be used any possible mode and carry out, such as in one embodiment, A random number can be generated by random number generator, and using the random number as the server-side platform identification, to reinforce The randomness of the server-side platform identification of acquisition, with reinforce the server-side private key component generated based on server-side platform identification with Machine further strengthens safety.It in another embodiment, can be based on the relevant information of server-side, using certain calculation Method generates the server-side platform identification.

With reference to figure 5, in one embodiment, server-side 2 further includes：Server-side private key copy destroy module 24, for The cipher machine, which is sent, destroys instruction, described to destroy instruction to indicate that the cipher machine destroys the server-side private key point in memory Measure copy.To after using server-side private key component each time, all destroy the pair of the server-side private key component in memory This, avoids the possibility that the server-side private key component copy in memory is obtained by third party, to further strengthen safety.

With reference to figure 5, in one embodiment, server-side 2 further includes：Security permission control module 25, it is described for controlling Server-side private key component cannot be exported with plaintext version from the cipher machine；And the server-side private key component is controlled, do not allow It is stored in non-volatile holographic storage component.To further strengthen the protection to server-side private key component, safety is further strengthened Property.

With reference to figure 5, in one embodiment, for generating the application scenarios of client private key component, client 1 is wrapped It includes：Client private key component generation module 101, temporary key generation module 102, private key component encrypting module 103 and client Communication module 104.

Client private key component generation module 101, for generating client private key component.

Temporary key generation module 102 generates client based on the CUSTOMER ID and faces for obtaining CUSTOMER ID When key.

Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes：Device-fingerprint information module 107, for obtaining Device hardware parameter, device software parameter and equipment identities mark, are joined based on the device hardware parameter, the device software The several and described equipment identities mark generates device-fingerprint information.

At this point, above-mentioned temporary key generation module 102 is based on the CUSTOMER ID and the device-fingerprint information generates The temporary key.Can be CUSTOMER ID and the device-fingerprint information input by user with acquisition in one specific example For input parameter, the client temporary key is obtained by executing key derivation algorithm.

In one embodiment, client 1 further includes：Equipment identities identifier generation module (not shown), with random Number generator generates equipment identities mark, and stores the equipment identities mark of generation, and equipment identities mark can be stored in Nonvolatile memory space, to facilitate subsequent applications to be read out in the process.

Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes：Salt figure module 108, for generate salt figure ( The additional value added in cryptographic process), and store the salt figure.The salt figure can be stored in non-volatile holographic storage sky Between, to facilitate subsequent applications to be read out in the process.

At this point, above-mentioned temporary key generation module 102, can be based on CUSTOMER ID and salt figure generates temporary key.

In one embodiment, refering to what is shown in Fig. 5, client 1 can include device-fingerprint information module 107 and salt figure simultaneously Module 108.At this point, temporary key generation module 102 with the CUSTOMER ID input by user of acquisition, device-fingerprint information and The salt figure is input parameter, and the client temporary key is obtained by executing key derivation algorithm.To, by introducing salt figure, Be conducive to resist the attack of rainbow table, further strengthen safety.

Refering to what is shown in Fig. 5, in one embodiment, client 1 can also include：Random integers module 109, for generating Random integers, and store the random integers.The random integers can be stored in nonvolatile memory space, subsequently be answered with facilitating With being read out in the process.

At this point, above-mentioned temporary key generation module 102, can be based on the CUSTOMER ID, execute the random integers Secondary key derivation algorithm generates the temporary key.To by introducing random integers, resistance rainbow table is conducive to and attacked It hits, further strengthens safety.

In one embodiment, client 1 can include above equipment finger print information module 107 and random integers mould simultaneously Block 109 executes at this point, above-mentioned temporary key generation module 102 is using CUSTOMER ID and device-fingerprint information as input parameter The key derivation algorithm of random integers time generates client temporary key.

In one embodiment, client 1 can also include salt figure module 108 and random integers module 109 simultaneously.This When, temporary key generation module 102 can be based on the CUSTOMER ID and the salt figure, execute the random integers time Key derivation algorithm generate the temporary key.

In one embodiment, client 1 can also include device-fingerprint information module 107,108 and of salt figure module simultaneously Random integers module 109.At this point, temporary key generation module 102, can be based on CUSTOMER ID, device-fingerprint information and Salt figure, the key derivation algorithm for executing random integers time generate temporary key.

Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes：Password authentication module 106, for obtaining user The password authentication information and identifying code of input verify the password authentication information and the identifying code, and when being verified, and show Show CUSTOMER ID input interface.It is thus possible to using the double authentication of password authentication and identifying code, correct situation is being verified Under, just allow to input CUSTOMER ID.In a specific example, the length and character types of password can also be limited Fixed, if the length of password has to be larger than the first predetermined length, character types must include capitalization, lowercase and number etc. Deng to implement high intensity verification.

In one embodiment, password authentication module 106 can also be in continuous first pre-determined number password authentication information and verification Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, that is, limiting does not allow user to continue to execute sound The flow answered, and being unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and tested after unlock It is obstructed out-of-date to demonstrate,prove code verification, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, And second time period is more than first time period, and so on.

Private key component encryption/decryption module 103, for using the client temporary key to the client private key component Encryption obtains client private key component ciphertext.

Accordingly, as shown in figure 5, the client can also include client private key ciphertext memory module 105, for storing State client private key component ciphertext.

Client communication module 104, for sending message to the server-side.

With reference to figure 5, in one embodiment, by taking the application scenarios of applications client private key component as an example, at this point, based on dividing The processing system of cloth private key includes client 1 and server-side 2, wherein：

Client 1 obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID Temporary key is held, and the client private key component ciphertext is decrypted using the client temporary key, it is private to obtain client Key component, and send message to server-side；

Server-side 2 receives the message that client is sent, and when the message meets server-side private key component use condition, Control instruction is sent to cipher machine, and the control instruction carries related information, and the control instruction is indicating the cipher machine According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes Server-side platform identification.The structure of the server-side 2 can be identical as the structure generated in client private key component scene.

At this point, client 1 includes：Client private key ciphertext memory module 105, temporary key generation module 102, private key point Measure deciphering module 112 and above-mentioned client communication module 104.

Client private key ciphertext memory module 105, for storing client private key ciphertext.It can be specifically the above-mentioned private of storage The client private key ciphertext that key component encrypting module 103 obtains.

Refering to what is shown in Fig. 5, in one embodiment, it, should when above-mentioned client 1 includes device-fingerprint information module 107 Device-fingerprint information module 107 can read device hardware parameter, device software parameter and equipment identities mark, based on described Device hardware parameter, the device software parameter and equipment identities mark generate device-fingerprint information.

Refering to what is shown in Fig. 5, in one embodiment, when client 1 includes salt figure module 108, the salt figure module 108 is also Read the salt figure of storage.At this point, above-mentioned temporary key generation module 102, can be based on the CUSTOMER ID and the salt figure Generate the temporary key.

In one embodiment, refering to what is shown in Fig. 5, including 107 He of above equipment finger print information module simultaneously in client 1 When salt figure module 108, above-mentioned temporary key generation module 102 is believed with the CUSTOMER ID input by user of reading, device-fingerprint Breath and the salt figure are input parameter, and the client temporary key is obtained by executing key derivation algorithm.To pass through introducing Salt figure can be conducive to resist the attack of rainbow table, further strengthen safety.

Refering to what is shown in Fig. 5, in one embodiment, when client 1 includes random integers module 109, the random integers Module 109 also reads the random integers of storage.At this point, above-mentioned temporary key generation module 102, can be based on the user and identify Code, the key derivation algorithm for executing random integers time generate the temporary key.To by introducing random integers, Ke Yiyou Conducive to the attack of rainbow table is resisted, safety is further strengthened.

It is appreciated that in one embodiment, in client 1 simultaneously including above equipment finger print information module 107 and with When machine integer module 109, it is that input is joined that above-mentioned temporary key generation module 102, which is with CUSTOMER ID and device-fingerprint information, Number, the key derivation algorithm for executing random integers time generate client temporary key.Include salt figure module simultaneously in client 1 108 and when random integers module 109, temporary key generation module 102 can be based on the CUSTOMER ID and the salt figure, The key derivation algorithm for executing the random integers time generates the temporary key.Believe simultaneously including device-fingerprint in client 1 When ceasing module 107, salt figure module 108 and random integers module 109, temporary key generation module 102 can be based on user and identify Code, device-fingerprint information and the salt figure, the key derivation algorithm for executing the random integers time generate the temporary key.

Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes：Password authentication module 106, for obtaining user The password authentication information and identifying code of input verify the password authentication information and the identifying code, and when being verified, and show Show CUSTOMER ID input interface.

On the other hand, password authentication module 106 can also be in continuous first pre-determined number password authentication information and identifying code It is obstructed out-of-date to verify, and locks the verification password authentication information and identifying code mechanism, that is, limiting not allows user to continue to execute response Flow, and unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and verification after unlock Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, and Second time period is more than first time period, and so on.

Private key component deciphering module 112, for reading the client private key ciphertext, and it is temporarily close using the client Key decrypts the client private key component ciphertext, obtains client private key component.

When client private key component is decrypted using client temporary key, any possible encryption may be used Mode carries out, as long as it is all right to be mapped with cipher mode.Such as client temporary key can be as symmetric key, Symmetrical decryption is executed to client private key component by client temporary key, obtains client private key component.

With reference to figure 5, in one embodiment, client 1 further includes：Client private key copy destroys module 110, in number In word signature process, after being digitally signed based on the client private key component, the client private key point in memory is destroyed The copy of amount.So as to the possibility for avoiding the copy of the client private key component in memory from being known by other people, with further Reinforce safety.

With reference to figure 5, in one embodiment, client 1 further includes：Client private key component matches authentication module 111, is used for Whether matched with client private key component with the server-side co-verification server-side private key component.It is unauthorized so as to avoid Use server-side private key component

Based on example as described above, a kind of computer equipment is also provided in one embodiment, the computer equipment packet Memory and processor are included, computer program is stored on the memory, wherein processor is realized as above when executing described program The method for stating any one embodiment in each embodiment.

Fig. 6 shows the internal structure chart of one embodiment Computer equipment.On the computer equipment can be specifically State the equipment one and equipment two involved in environment.As shown in fig. 6, the computer equipment includes the processing connected by system bus Device, memory, network interface.Can also include input unit in the case where the computer equipment is user terminal.Wherein, Memory includes non-volatile memory medium and built-in storage.The non-volatile memory medium of the computer equipment is stored with operation System can also be stored with computer program, when which is executed by processor, processor may make to realize based on distribution The processing method of formula private key.Also computer program can be stored in the built-in storage, when which is executed by processor, Processor may make to execute the processing method based on distributed private key.

It will be understood by those skilled in the art that structure shown in Fig. 6, is only tied with the relevant part of application scheme The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment May include either combining certain components than more or fewer components as shown in the figure or being arranged with different components.

One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, Ke Yitong It crosses computer program and is completed to instruct relevant hardware, which, which can be stored in a non-volatile computer storage can be read, is situated between In matter, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, each reality provided herein Apply any reference to memory, storage, database or other media used in example, may each comprise it is non-volatile and/or Volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include random access memory (RAM) Or external cache.By way of illustration and not limitation, RAM is available in many forms, such as static state RAM (SRAM), It is dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhanced SDRAM (ESDRAM), same Walk link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) directly RAM (RDRAM), direct memory bus Dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..

Accordingly, a kind of computer storage media is also provided in one embodiment, is stored thereon with computer program, the meter The method such as any one embodiment in the various embodiments described above is realized when calculation machine program is executed by processor.

Each technical characteristic of embodiment described above can be combined arbitrarily, to keep description succinct, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, it is all considered to be the range of this specification record.

Claims

1. a kind of processing method based on distributed private key, which is characterized in that the method includes the steps：

Receive the message that client is sent；

When the message meets server-side private key component use condition, control instruction, the control instruction are sent to cipher machine Related information is carried, the control instruction is indicating the cipher machine according to the related information and pair of the cipher machine Claim key, generates server-side private key component, the related information includes server-side platform identification.

2. according to the method described in claim 1, it is characterised in that it includes it is following it is every at least one of：

The message includes user identifier and/or key identification；The related information further includes the user identifier and/or described Key identification；

The control instruction is signature command, the signature command be used to indicate the cipher machine according to the related information and The symmetric key of the cipher machine is generated server-side private key component, and is digitally signed based on the server-side private key component；

It is sent to the cipher machine and destroys instruction, it is described to destroy instruction to indicate that the cipher machine destroys the server-side in memory Private key component copy；

Further include step before sending control instruction to cipher machine：Generate the server-side platform identification；

The server-side private key component cannot be exported with plaintext version from the cipher machine；

The server-side private key component does not allow to be stored in non-volatile holographic storage component.

3. a kind of processing method based on distributed private key, which is characterized in that the method includes the steps：

Client generates client private key component, obtains CUSTOMER ID, and it is interim to generate client based on the CUSTOMER ID Key, and the client private key component is encrypted using the client temporary key, client private key component ciphertext is obtained, And send message to server-side；

Server-side receives the message that client is sent, and when the message meets server-side private key component use condition, Xiang Mi Ink recorder sends control instruction, and the control instruction carries related information, the control instruction to indicate the cipher machine according to The symmetric key of the related information and the cipher machine, generates server-side private key component, and the related information includes service Hold station identification level with both hands.

4. according to the method described in claim 3, it is characterised in that it includes it is following it is every at least one of：

5. according to the method described in claim 3, it is characterised in that it includes it is following it is every in any one：

First item：

The client further includes step before obtaining CUSTOMER ID input by user：Obtain device hardware parameter, equipment Software parameters and equipment identities mark, are based on the device hardware parameter, the device software parameter and the equipment body Part mark generates device-fingerprint information；

The client be based on the CUSTOMER ID generate client temporary key the step of include：It is identified based on the user Code and the device-fingerprint information generate the temporary key；

Section 2：

The client further includes step before obtaining CUSTOMER ID input by user：Salt figure is generated, and stores the salt Value；

The client be based on the CUSTOMER ID generate client temporary key the step of include：It is identified based on the user Code and the salt figure generate the temporary key；

Section 3：

The client further includes step before obtaining CUSTOMER ID input by user：Salt figure is generated, the salt is stored Value；And device hardware parameter, device software parameter and equipment identities mark are obtained, based on the device hardware parameter, described Device software parameter and equipment identities mark generate device-fingerprint information；

The client be based on the CUSTOMER ID generate client temporary key the step of include：It is identified based on the user Code, the salt figure and the device-fingerprint information generate the temporary key；

Section 4：

The client further includes step before obtaining CUSTOMER ID input by user：Random integers are generated, and store institute State random integers；

The client be based on the CUSTOMER ID generate client temporary key the step of include：It is identified based on the user Code, the key derivation algorithm for executing the random integers time generate the temporary key；

Section 5：

The client further includes step before obtaining CUSTOMER ID input by user：Salt figure and random integers are generated, and Store the salt figure and the random integers；

The client be based on the CUSTOMER ID generate client temporary key the step of include：It is identified based on the user Code and the salt figure, the key derivation algorithm for executing the random integers time generate the temporary key；

Section 6：

The client further includes step before obtaining CUSTOMER ID input by user：Random integers are generated, and obtains and sets Standby hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, the device software parameter And the equipment identities mark generates device-fingerprint information；

The client be based on the CUSTOMER ID generate client temporary key the step of include：It is identified based on the user Code and the device-fingerprint information, the key derivation algorithm for executing the random integers time generate the temporary key；

Section 7：

The client further includes step before obtaining CUSTOMER ID input by user：Salt figure and random integers are generated, and Store the salt figure and the random integers；And obtain device hardware parameter, device software parameter and equipment identities mark, base It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information；

The client be based on the CUSTOMER ID generate client temporary key the step of include：It is identified based on the user Code, the salt figure and the device-fingerprint information, the key derivation algorithm generation for executing the random integers time are described interim close Key.

At least one of 6. according to the method described in claim 3 to 5 any one, which is characterized in that in including following items：

First item：

The client further includes step before obtaining CUSTOMER ID input by user：

Obtain password authentication information input by user and identifying code；

The password authentication information and the identifying code are verified, and when being verified, shows CUSTOMER ID input interface；

Section 2：

In digital signature procedure, the client based on the client private key component after being digitally signed, in destruction The copy of client private key component in depositing；

Section 3：

Before being digitally signed, the client is private with client with the server-side co-verification server-side private key component Whether key component matches.

7. a kind of processing method based on distributed private key, which is characterized in that the method includes the steps：

Client obtains CUSTOMER ID and client private key component ciphertext, and it is interim to generate client based on the CUSTOMER ID Key, and the client private key component ciphertext is decrypted using the client temporary key, client private key component is obtained, And send message to server-side；

8. the method according to the description of claim 7 is characterized in that at least one in including following items：

9. the method according to the description of claim 7 is characterized in that any one in including following items：

First item：

The client further includes step before generating client temporary key based on the CUSTOMER ID：Read equipment Hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, the device software parameter with And the equipment identities mark generates device-fingerprint information；

Section 2：

The client further includes step before generating client temporary key based on the CUSTOMER ID：Read storage Salt figure；

Section 3：

The client further includes step before generating client temporary key based on the CUSTOMER ID：Read storage Salt figure；And read device hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, The device software parameter and equipment identities mark generate device-fingerprint information；

Section 4：

The client further includes step before generating client temporary key based on the CUSTOMER ID：Read storage Random integers；

Section 5：

The client further includes step before generating client temporary key based on the CUSTOMER ID：Read storage Salt figure and random integers；

Section 6：

The client further includes step before generating client temporary key based on the CUSTOMER ID：Read storage Random integers, and read device hardware parameter, device software parameter and equipment identities mark, based on the device hardware join Several, the described device software parameter and equipment identities mark generate device-fingerprint information；

Section 7：

The client further includes step before generating client temporary key based on the CUSTOMER ID：Read storage Salt figure and random integers；And device hardware parameter, device software parameter and equipment identities mark are obtained, it is based on the equipment Hardware parameter, the device software parameter and equipment identities mark generate device-fingerprint information；

10. according to the method described in claim 7 to 9 any one, which is characterized in that at least one in including following items ：

First item：

The client further includes step before obtaining CUSTOMER ID input by user：

Section 2：

Section 3：

11. a kind of processing system based on distributed private key, which is characterized in that the system comprises clients and server-side；

The client generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component Ciphertext, and send message to server-side；

The server-side receives the message that client is sent, and when the message meets server-side private key component use condition, Control instruction is sent to cipher machine, and the control instruction carries related information, and the control instruction is indicating the cipher machine According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes Server-side platform identification.

12. system according to claim 11, which is characterized in that the server-side includes：

Server-side communication module, the message for receiving client transmission；

Private key component processing and control module, for when the message meets server-side private key component use condition, to cipher machine Send control instruction, the control instruction carries related information, and the control instruction is indicating the cipher machine according to The symmetric key of related information and the cipher machine, generates server-side private key component, and the related information is held level with both hands including service Station identification.

At least one of 13. system according to claim 12, which is characterized in that in including following items：

The server-side further includes：Server-side private key copy destroys module, and instruction is destroyed for being sent to the cipher machine, described Instruction is destroyed to indicate that the cipher machine destroys the server-side private key component copy in memory；

The server-side further includes：Platform identification generation module, for generating the server-side platform identification；

The server-side further includes：Security permission control module, cannot be with plaintext shape for controlling the server-side private key component Formula is exported from the cipher machine；And the server-side private key component is controlled, do not allow to be stored in non-volatile holographic storage component.

14. system according to claim 11, which is characterized in that the client includes：

Client private key component generation module, for generating client private key component；

Temporary key generation module generates client temporary key for obtaining CUSTOMER ID based on the CUSTOMER ID；

Private key component encrypting module is obtained for being encrypted to the client private key component using the client temporary key Client private key component ciphertext；

Client communication module, for sending message to the server-side.

15. system according to claim 14, which is characterized in that any one in including following items：

First item：

The client further includes：Device-fingerprint information module, for obtaining device hardware parameter, device software parameter and setting Standby identity generates equipment based on the device hardware parameter, the device software parameter and equipment identities mark Finger print information；

The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information generates the temporary key；

Section 2：

The client further includes：Salt figure module for generating salt figure, and stores the salt figure；

The temporary key generation module is based on the CUSTOMER ID and the salt figure generates the temporary key；

Section 3：

The client further includes device-fingerprint information module and salt figure module；

The device-fingerprint information module, for obtaining device hardware parameter, device software parameter and equipment identities mark, base It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information；

The salt figure module for generating salt figure, and stores the salt figure；

The temporary key generation module is based on described in the CUSTOMER ID, the salt figure and device-fingerprint information generation Temporary key；

Section 4：

The client further includes：Random integers module for generating random integers, and stores the random integers；

The temporary key generation module is based on the CUSTOMER ID, executes the key derivation algorithm life of the random integers time At the temporary key；

Section 5：

The client further includes：Random integers module and device-fingerprint information module；

Random integers module for generating random integers, and stores the random integers；

Device-fingerprint information module is based on institute for obtaining device hardware parameter, device software parameter and equipment identities mark It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information；

The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information, executes the random integers Secondary key derivation algorithm generates the temporary key；

Section 6：

The client further includes：Random integers module and salt figure module；

Salt figure module for generating salt figure, and stores the salt figure；

The temporary key generation module is based on the CUSTOMER ID and the salt figure, executes the key of the random integers time It derives from algorithm and generates the temporary key；

Section 7：

The client further includes：Random integers module, device-fingerprint information module and salt figure module；

Salt figure module for generating salt figure, and stores the salt figure；

The temporary key generation module is based on the CUSTOMER ID, the salt figure and the device-fingerprint information, executes institute The key derivation algorithm for stating random integers time generates the temporary key.

16. according to the system described in claim 13 to 15 any one, which is characterized in that at least one in including following items ：

First item：

The client further includes：Password authentication module is verified for obtaining password authentication information input by user and identifying code The password authentication information and the identifying code, and when being verified, show CUSTOMER ID input interface；

Section 2：

The client further includes：Client private key copy destroys module, is used in digital signature procedure, based on the visitor After family end private key component is digitally signed, the copy of the client private key component in memory is destroyed；

Section 3：

The client further includes：Client private key component matches authentication module, is used for and the server-side co-verification service Whether end private key component matches with client private key component.

17. a kind of processing system based on distributed private key, which is characterized in that the system comprises clients and server-side；

The client obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID Temporary key, and the client private key component ciphertext is decrypted using the client temporary key, obtain client private key Component, and send message to server-side；

18. system according to claim 17, which is characterized in that the server-side includes：

At least one of 19. system according to claim 18, which is characterized in that in including following items：

20. system according to claim 17, which is characterized in that the client includes：

Client private key ciphertext memory module, for storing client private key ciphertext；

Private key component deciphering module, for reading the client private key ciphertext, and using the client temporary key to institute The decryption of client private key component ciphertext is stated, client private key component is obtained；

Client communication module, for sending message to the server-side.

21. system according to claim 20, which is characterized in that any one in including following items：

First item：

The client further includes：Device-fingerprint information module, for reading device hardware parameter, device software parameter and setting Standby identity generates equipment based on the device hardware parameter, the device software parameter and equipment identities mark Finger print information；

Section 2：

The client further includes：Salt figure module, the salt figure for reading storage；

Section 3：

The device-fingerprint information module, for reading device hardware parameter, device software parameter and equipment identities mark, base It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information；

The salt figure module, the salt figure for reading storage；

Section 4：

The client further includes：Random integers module, the random integers for reading storage；

Section 5：

Random integers module, the random integers for reading storage；

Device-fingerprint information module is based on institute for reading device hardware parameter, device software parameter and equipment identities mark It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information；

Section 6：

The client further includes：Random integers module and salt figure module；

Random integers module, the random integers for reading storage；

Salt figure module, the salt figure for reading storage；

Section 7：

Random integers module, the random integers for reading storage；

Salt figure module, the salt figure for reading storage；

22. according to the system described in claim 19 to 21 any one, which is characterized in that at least one in including following items ：

First item：The client further includes：Password authentication module, for obtaining password authentication information input by user and verification Code, verifies the password authentication information and the identifying code, and when being verified, and shows CUSTOMER ID input interface；

Section 2：

Section 3：

23. a kind of computer equipment, including memory and processor are stored with computer program, feature on the memory It is, the step of processor realizes method as claimed in claim 1 or 2 when executing the computer program, or realizes The processing step of client or server-side in the method for any one of claim 3 to 10.

24. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor The step of method as claimed in claim 1 or 2 is realized when execution, or realize the method for any one of claim 3 to 10 In client or server-side processing step.