CN108471352A - Processing method, system, computer equipment based on distributed private key and storage medium - Google Patents
Processing method, system, computer equipment based on distributed private key and storage medium Download PDFInfo
- Publication number
- CN108471352A CN108471352A CN201810220635.0A CN201810220635A CN108471352A CN 108471352 A CN108471352 A CN 108471352A CN 201810220635 A CN201810220635 A CN 201810220635A CN 108471352 A CN108471352 A CN 108471352A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- private key
- customer
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
This application involves a kind of processing method, computer equipment and computer storage media based on distributed private key, the processing method based on distributed private key of one embodiment include:Receive the message that client is sent;When the message meets server-side private key component use condition, control instruction is sent to cipher machine, the control instruction carries related information, the control instruction is indicating the cipher machine according to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes server-side platform identification.This embodiment scheme is not necessarily to store magnanimity key in cipher machine, avoids the possibility that storage key is illegally obtained by third party, strengthens the safety of the private key component of distributed private key.
Description
Technical field
This application involves technical field of cryptology, more particularly to a kind of processing method based on distributed private key, it is based on
Processing system, computer equipment and the computer storage media of distributed private key.
Background technology
With the development of mobile Internet, realize that digital signature becomes active demand in mobile terminal.Due to mobile terminal
Operating system be revisable untrusted running environment, in order in effective protection mobile terminal for signature private key for user,
Many researchers propose the scheme that the collaboration based on distributed cipher key generates electronic signature.In this scenario, in communicating pair
Storage section private key respectively, two sides joint, which such as could sign to message or decrypt at operations, the communicating pair, can not get
Any information of other side's private key.But when implementing the technical solution of collaboration signature, it is necessary to take means realizing to client and
The effective protection of the private key component of server-side, to resist the attack means such as monitor channel, client wooden horse.
Invention content
Based on this, it is necessary to provide a kind of processing method based on distributed private key, the processing system based on distributed private key
System, computer equipment and computer storage media.
A kind of processing method based on distributed private key, the method includes the steps:
Receive the message that client is sent;
When the message meets server-side private key component use condition, control instruction, the control are sent to cipher machine
Instruction carries related information, and the control instruction is indicating the cipher machine according to the related information and the cipher machine
Symmetric key, generate server-side private key component, the related information includes server-side platform identification.
A kind of processing method based on distributed private key, the method includes the steps:
Client generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component
Ciphertext, and send message to server-side;
Server-side receives the message that client is sent, and when the message meets server-side private key component use condition,
Control instruction is sent to cipher machine, and the control instruction carries related information, and the control instruction is indicating the cipher machine
According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes
Server-side platform identification.
A kind of processing method based on distributed private key, the method includes the steps:
Client obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component ciphertext is decrypted using the client temporary key, obtain client private key
Component, and send message to server-side;
Server-side receives the message that client is sent, and when the message meets server-side private key component use condition,
Control instruction is sent to cipher machine, and the control instruction carries related information, and the control instruction is indicating the cipher machine
According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes
Server-side platform identification.
A kind of processing system based on distributed private key, the system comprises clients and server-side;
The client generates client private key component, obtains CUSTOMER ID, and visitor is generated based on the CUSTOMER ID
Family end temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key
Component ciphertext, and send message to server-side;
The server-side receives the message that client is sent, and meets server-side private key component use condition in the message
When, send control instruction to cipher machine, the control instruction carries related information, and the control instruction is indicating the password
Machine generates server-side private key component, the related information packet according to the related information and the symmetric key of the cipher machine
Include server-side platform identification.
A kind of processing system based on distributed private key, the system comprises clients and server-side;
The client obtains CUSTOMER ID and client private key component ciphertext, and visitor is generated based on the CUSTOMER ID
Family end temporary key, and the client private key component ciphertext is decrypted using the client temporary key, obtain client
Private key component, and send message to server-side;
The server-side receives the message that client is sent, and meets server-side private key component use condition in the message
When, send control instruction to cipher machine, the control instruction carries related information, and the control instruction is indicating the password
Machine generates server-side private key component, the related information packet according to the related information and the symmetric key of the cipher machine
Include server-side platform identification.
A kind of computer equipment, including memory and processor are stored with computer program, the place on the memory
The step of realizing the above method when device executes the computer program is managed, or realizes the client or clothes in method as described above
The processing step at business end.
A kind of computer readable storage medium, is stored thereon with computer program, which realizes when being executed by processor
The step of above method, or realize the processing step of the client or server-side in method as described above.
According to the scheme of embodiment as described above, server-side is when needing to use server-side private key component, by close
The symmetric key of ink recorder is encrypted server-side platform identification and generates server-side private key component, without being stored in cipher machine
Magnanimity key only need to store symmetric key in cipher machine, so that it may to generate corresponding server-side key components for numerous users, and
The possibility that storage key is illegally obtained by third party is avoided, the safety of the private key component of distributed private key is strengthened.
Description of the drawings
Fig. 1 is the flow diagram of the processing method based on distributed private key in one embodiment;
Fig. 2 is the flow diagram of the processing method based on distributed private key in another embodiment;
Fig. 3 is the processing flow schematic diagram in the processing method based on distributed private key in one embodiment;
Fig. 4 is the flow diagram of the processing method based on distributed private key in another embodiment;
Fig. 5 is the processing flow schematic diagram in the processing method based on distributed private key in one embodiment;
Fig. 6 is the module diagram of the processing system based on distributed private key in another embodiment;
Fig. 7 is the internal structure schematic diagram of the computer equipment in one embodiment.
Specific implementation mode
It is with reference to the accompanying drawings and embodiments, right in order to make the object, technical solution and advantage of the application be more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, and
It is not used in restriction the application.
The scheme of the embodiment of the present application is related to two equipment, is denoted as one He of equipment in the application of specific technology
There is one private key component of equipment, equipment two to have two private key component of equipment for equipment two, equipment one, in collaboration signature and decryption,
Equipment one is based on one private key component of equipment, equipment two is based on two private key component of equipment, and the mistake of signature and decryption is completed in the two collaboration
Journey.In some embodiments, equipment one can be terminal, and equipment two can be server, to realize terminal and server it
Between collaboration signature and decryption process.Equipment one, equipment two can be specifically terminal console, mobile terminal, Intelligent wearable
Equipment and it is other can or the equipment to cooperate with signature or decryption can be only when equipment two is server
The server cluster of the either multiple server compositions of vertical server.
As shown in Figure 1, the processing method based on distributed private key in one embodiment includes the following steps S101 and step
Rapid S102, this method can be applied to server.
Step S101:Receive the message that client is sent.
Wherein, the message that client is sent can be any possible message, as long as the message that client is sent can refer to
Show or trigger server-side and executes and the relevant operation of server-side private key component.In one embodiment, which sends
The message can be the message sent during indicating that server-side generates server-side private key, can also be to execute number
The message that word is signed or sent during decrypting.In different technology scenes, the information for including in the message can have
Institute is different.
In one embodiment, can only include that can indicate or trigger server-side to hold in the message that client is sent
Row and the relevant operation of server-side private key component.
In one embodiment, may include user identifier in the message that client is sent.To by the message
Include user identifier, server-side can subsequently be based on the user identifier and generate server-side private key point corresponding with the user identifier
Amount, so as to generate different server-side private key components for different users.
In one embodiment, may include key identification in the message that client is sent.To by the message
Include key identification, server-side can subsequently be based on the key identification and generate server-side private key point corresponding with the key identification
Amount, so as to generate different server-side private key components, the different server-side private keys of generation based on different key identifications
Component can use different purposes.
In one embodiment, can also include user identifier and key identification simultaneously in the message that client is sent.
To by the way that including user identifier and key identification, server-side can subsequently be based on the user identifier and key mark within the message
Know, generate corresponding from the user identifier different server-side private key component, the different server-side private key components of generation can be with
For the different purposes corresponding to the user identifier.
Step S102:When the message meets server-side private key component use condition, control instruction is sent to cipher machine,
The control instruction carries related information, and the control instruction is indicating the cipher machine according to the related information and institute
The symmetric key of cipher machine is stated, generates server-side private key component, the related information includes server-side platform identification.
Wherein, which can do different settings, as long as the message can trigger service
It holds to cipher machine and sends above-mentioned control instruction.
As in one embodiment, which can be that client cooperates with the mistake for generating server-side private key component with server-side
Related news in journey.
In another embodiment, which can be the mistake that client cooperates with encryption, signature or decryption with server-side
Related news in journey.For being signed, which can be signature command, which is used to indicate password
Machine generates server-side private key component according to related information and the symmetric key of cipher machine, and based on server-side private key component into
Row digital signature, and then can indicate that cipher machine generates server-side private key component during executing digital signature.To,
Server-side completes the generating process of server-side private key component, the server where server-side during executing digital signature really
With cipher machine without storing the server-side private key component generated, need to assist with the user of multiple and different user terminals in server-side
In the case of signature, server-side and cipher machine are not necessarily to store the server-side private key component of magnanimity, further improve safety.
In one embodiment, when the message sent in above-mentioned client includes user identifier, which may be used also
To include the user identifier.At this point, be based on the control instruction, cipher machine be based on server-side platform identification, user identifier and
The symmetric key of cipher machine generates server-side private key component.To which server-side can be based on the user identifier and generate and the user
Corresponding server-side private key component is identified, can be that different users generates different server-side private key components accordingly.
In one embodiment, when the message sent in above-mentioned client includes key identification, which also wraps
Include the key identification.At this point, being based on the control instruction, cipher machine is to be based on server-side platform identification, cipher mark and password
The symmetric key of machine generates server-side private key component.To which server-side can generate different clothes based on different key identifications
Business end private key component, the different server-side private key components of generation can use different purposes.
It in one embodiment, should in the message that client is sent while when including user identifier and key identification
Related information also includes the user identifier and key identification simultaneously.At this point, being based on the control instruction, cipher machine is to be based on server-side
The symmetric key of platform identification, user identifier, cipher mark and cipher machine generates server-side private key component.To server-side
It can be based on the user identifier and key identification, generate different server-side private key component corresponding from the user identifier, generated
Different server-side private key components, can be used for the different purposes corresponding to the user identifier.
The server-side private key component of above-mentioned generation can be limited to export from cipher machine with plaintext version, can also
It is limited to not allow to be stored in non-volatile holographic storage component, to further strengthen the protection to server-side private key component, into
One step reinforces safety.
Above-mentioned server-side platform identification can be determined based on any possible mode.In one embodiment, it is above-mentioned to
Can also include step before cipher machine sends control instruction:Generate server-side platform identification.Generating server-side platform identification can
By using it is any it is possible in a manner of carry out, such as in one embodiment, can by random number generator generate a random number,
And using the random number as the server-side platform identification, to reinforce the randomness of the server-side platform identification obtained, to reinforce
Randomness based on the server-side private key component that server-side platform identification generates, further strengthens.In another embodiment, may be used
With the relevant information based on server-side, which is generated using certain algorithm.
In one embodiment, can also include step after above-mentioned transmission control instruction:
It is sent to cipher machine and destroys instruction, destruction instruction is private to indicate the server-side in the cipher machine destruction memory
Key component copy.To after using server-side private key component each time, all destroy the server-side private key component in memory
Copy, once after destroying, it is necessary to the verification process for executing the pairing of client private key component could restore server-side private again
Key component is avoided unauthorized server-side and applied and divided using the server-side private key of some user by sending instructions to cipher machine
Amount, to further strengthen safety.
The following is a detailed description of one of the examples.In this example, it is related to server-side private key component
Generation, the use of server-side private key component and the protection of server-side private key component.
In order to generate server-side private key component, server-side generates a server-side platform identification PlatformID, and close
The symmetric key X of a symmetric encipherment algorithm is generated and stored inside ink recorder.One with regard to the server-side private key in specific example point
The product process of amount can be discussed further below:
User identifier UserID and the key identification KeyID, user identifier UserID that client is sent are received to mark
Know different users, for key identification KeyID to distinguish different keys, a key identification corresponds to a client private key
Component and a server-side private key component.
Then, server-side calls encryption equipment interface, and server-side platform identification PlatformID, user are based on inside encryption equipment
Mark UserID, key identification KeyID and symmetric key X calculate the server-side private key component d that length is klen bits2,
It can be expressed as with formula:
Seed=Encrypt (PlatformID | | UserID | | KeyID, X);
2=KDF (seed, klen).
Wherein, Encrypt is symmetric encipherment algorithm, and symmetric key X is used to be encrypted, and used algorithm can be
Any possible symmetric encipherment algorithm, such as DES (Data Encryption Algorithm, data encryption algorithm), AES
(Advanced Encryption Standard, Advanced Encryption Standard), SM4 (block cipher) etc..KDF is key derivation
Algorithm can be specifically the function that PKCS#5 standards define, or《GM/T 0003.4-2012SM2 ellipse curve public key ciphers
The 4th part of algorithm:Public key encryption algorithm》Defined in key derivation algorithm etc..
During using server-side private key component, server-side private key component need to be recovered, to use server-side private key
Component.Process and the process of above-mentioned generation server-side private key component for recovering server-side private key component are completely the same.Specific
Technology application scenarios in, may not need special flow and generate server-side private key component, but needing it is private using server-side
When key component, then by cipher machine generation server-side private key component, to which server-side and cipher machine are not necessarily to store the key of magnanimity
Data.
By taking digital signature as an example, but during executing digital signature, server-side is in the use for obtaining client transmission
After family identifies UserID and key identification KeylD, server-side calls encryption equipment interface, and server-side platform mark is based on inside encryption equipment
It is klen bits to know PlatformID, user identifier UserID, key identification KeyID and symmetric key X to calculate length
Server-side private key component d2, and the server-side private key component d based on generation2Complete digital signature procedure.
Wherein, in order to form the effective protection to private key component, in specific implementation, it can limit and ensure calculated clothes
Be engaged in end private key component d2It cannot be exported outside cipher machine with plaintext version, and limit and ensure the server-side private key that cipher machine generates
Component d2Do not allow to be stored in non-volatile holographic storage component.On the other hand, it is performed in unison with digital signature in client and server-side
Stage, server-side calculates private key component d inside cipher machine by sending instructions to cipher machine according to X2, complete collaboration
The step of signature.On the other hand, can also be no matter to calculate public key or carry out collaboration signature, all use service in cipher machine
Hold private key component d2Later, server-side destroys the server-side private key component in cipher machine memory by being sent the commands to cipher machine
Copy.
The processing method based on distributed private key in one embodiment is related to client and server-side, wherein specific
When technology is realized, client can refer to the application program of setting on the subscriber terminal, and server-side can refer to that setting is servicing
The application program of device, as shown in Fig. 2, in one embodiment be related to client and the method for server-side includes the following steps S201
To step S202, the embodiment be combine client generate private key component scene for illustrate.
Step S201:Client generates client private key component, obtains CUSTOMER ID, is given birth to based on the CUSTOMER ID
The client private key component is encrypted at client temporary key, and using the client temporary key, obtains client
Private key component ciphertext, and send message to server-side.
Step S202:Server-side receives the message that client is sent, and meets server-side private key component in the message and make
When with condition, control instruction is sent to cipher machine, the control instruction carries related information, and the control instruction is to indicate
Cipher machine is stated according to the related information and the symmetric key of the cipher machine, generates server-side private key component, the association
Information includes server-side platform identification.
Wherein, the processing procedure of the server-side in step S202 can be with the server in above-mentioned embodiment illustrated in fig. 1
Processing procedure is identical.
Above-mentioned steps S201 can be executed in subscriber terminal equipment, in one embodiment, as shown in figure 3, step S201
May include following step S2011 to step S2013.
Step S2011:CUSTOMER ID is obtained, client temporary key is generated based on the CUSTOMER ID.
The CUSTOMER ID can be PIN (the personal identification of user in one embodiment
Number, personal identification number), which can be based on user and input acquisition.
When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One
Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment
To the client temporary key.
In one embodiment, can also include step before above-mentioned acquisition CUSTOMER ID input by user:It obtains
Device hardware parameter, device software parameter and equipment identities mark, and based on device hardware parameter, device software parameter and
Equipment identities mark generates device-fingerprint information.
At this point, the step of generating client temporary key based on CUSTOMER ID includes:Based on CUSTOMER ID and equipment
Finger print information generates client temporary key.In one example, the CUSTOMER ID input by user and equipment that can obtain refer to
Line information is input parameter, and client temporary key is obtained by executing key derivation algorithm.
Wherein, in one example, further include step before above-mentioned acquisition equipment identities mark:Use generating random number
Device generates equipment identities mark, and stores the equipment identities mark of generation, and equipment identities mark can be stored in non-volatile
Property memory space, be read out during subsequent applications with facilitating.
In one embodiment, further include step before obtaining CUSTOMER ID input by user:Salt figure is generated, and
Salt figure (the additional value added in cryptographic process) is stored, which can be stored in nonvolatile memory space, with
Subsequent applications are facilitated to be read out in the process.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:Based on CUSTOMER ID and
The salt figure generates client temporary key.In one specific example, can be with the CUSTOMER ID input by user of acquisition with
And the salt figure is input parameter, and the client temporary key is obtained by executing key derivation algorithm.To by introducing salt
Value can be conducive to resist the attack of rainbow table, further strengthen safety.
In one embodiment, further include step before obtaining CUSTOMER ID input by user:Salt figure is generated, is deposited
Store up the salt figure;And obtain device hardware parameter, device software parameter and equipment identities mark, based on device hardware parameter,
The device software parameter and equipment identities mark generate device-fingerprint information.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:It is identified based on the user
Code, the salt figure and the device-fingerprint information generate the temporary key.Can be the use with acquisition in one specific example
CUSTOMER ID, device-fingerprint information and salt figure of family input are input parameter, are obtained by executing key derivation algorithm
The client temporary key.
In one embodiment, can also include step before obtaining CUSTOMER ID input by user:It generates random
Integer, and the random integers are stored, which can be stored in nonvolatile memory space, to facilitate subsequent applications mistake
It is read out in journey.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:Based on CUSTOMER ID, hold
The key derivation algorithm of row random integers time generates client temporary key.For example, using CUSTOMER ID as input parameter, execute
The key derivation algorithm of random integers time generates client temporary key.To, by introduce random integers, can be conducive to
Anti- rainbow table attack, further strengthens safety.
In one embodiment, can also include step before obtaining CUSTOMER ID input by user:Generate salt figure
And random integers, and store salt figure and random integers.
At this point, the step of generating client temporary key based on CUSTOMER ID includes:Based on CUSTOMER ID and salt figure,
The key derivation algorithm for executing random integers time generates client temporary key.
In one embodiment, random integers are being generated and be with CUSTOMER ID and device-fingerprint information are being input
Parameter generate client temporary key in the case of, be using CUSTOMER ID and device-fingerprint information as input parameter, execute with
The key derivation algorithm of machine integer time generates client temporary key.In one embodiment, generate at the same time salt figure and with
Machine integer can be to obtain in the case of generating the temporary key based on CUSTOMER ID, salt figure and device-fingerprint information
CUSTOMER ID input by user, device-fingerprint information and the salt figure be input parameter, execute the key of random integers time
It derives from algorithm and generates client temporary key.
In one embodiment, can also include step before above-mentioned acquisition CUSTOMER ID input by user:It obtains
Password authentication information input by user and identifying code;Password authentication information and identifying code are verified, and when being verified, display is used
Family identification code input interface.It is thus possible to using the double authentication of password authentication and identifying code, it is correct in verification,
Just allow to input CUSTOMER ID.In a specific example, the length and character types of password can also be defined, such as
The length of password has to be larger than the first predetermined length, and character types must include capitalization, lowercase and number etc., with
Implement high intensity verification.
It on the other hand, in one embodiment, can also be in continuous first pre-determined number password authentication information and identifying code
It is obstructed out-of-date to verify, and locks the verification password authentication information and identifying code mechanism, that is, limiting not allows user to continue to execute response
Flow, and unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and verification after unlock
Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, and
Second time period is more than first time period, and so on.
Step S2012:Generate client private key component.
The generating mode of client private key component is carried out using any possible mode.In one embodiment, Ke Yishi
Random number is generated using randomizer, and using the random number as the client private key component.
Step S2013:Client private key component is encrypted using client temporary key, it is close to obtain client private key component
Text.
When client private key component is encrypted using client temporary key, any possible encryption may be used
Mode carries out.Such as client temporary key can be as symmetric key, by client temporary key to client private key
Component executes symmetric cryptography, obtains client private key ciphertext.In one embodiment, the client private key ciphertext of acquisition can preserve
Nonvolatile memory space inside the spacing container of client.
In one embodiment, in digital signature procedure, after being digitally signed based on client private key component, also
The copy of the client private key component in memory can be destroyed.To avoid the client private key component in memory copy by other people
The possibility known, to further strengthen safety.
In one embodiment, can also include step before being digitally signed:Service for checking credentials end private key component with
Whether client private key component matches, to avoid unauthorized use server-side private key component.
As shown in figure 4, the method for being related to client and server-side in one embodiment includes the following steps S401 to walking
Rapid S402, the embodiment are illustrated for decrypting to obtain the scene of client private key component in conjunction with client.
Step S401:Client obtains CUSTOMER ID and client private key component ciphertext, is based on the CUSTOMER ID
Client temporary key is generated, and the client private key component ciphertext is decrypted using the client temporary key, is obtained
Client private key component, and send message to server-side.
Step S402:Server-side receives the message that client is sent, and meets server-side private key component in the message and make
When with condition, control instruction is sent to cipher machine, the control instruction carries related information, and the control instruction is to indicate
Cipher machine is stated according to the related information and the symmetric key of the cipher machine, generates server-side private key component, the association
Information includes server-side platform identification.
Wherein, the processing procedure of the server-side in step S402 can be with the server in above-mentioned embodiment illustrated in fig. 1
Processing procedure is identical.
Above-mentioned steps S401 can be executed in subscriber terminal equipment, in one embodiment, under step S401 may include
Step S4011 is stated to step S4012.
Step S4011:CUSTOMER ID and client private key component ciphertext are obtained, visitor is generated based on the CUSTOMER ID
Family end temporary key.
Wherein, which can directly read from memory space.The CUSTOMER ID is in one embodiment
In can be user PIN (personal identification number, personal identification number), which can be with
It is inputted and is obtained based on user.
When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One
Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment
To the client temporary key.
In one embodiment, it is above-mentioned client temporary key is generated based on the CUSTOMER ID before, can be with
Including step:Device hardware parameter, device software parameter and equipment identities mark are read, and is based on device hardware parameter, sets
Standby software parameters and equipment identities mark generate device-fingerprint information.
At this point, the step of generating client temporary key based on CUSTOMER ID includes:Based on CUSTOMER ID and equipment
Finger print information generates client temporary key.In one example, the CUSTOMER ID input by user and equipment that can obtain refer to
Line information is input parameter, and client temporary key is obtained by executing key derivation algorithm.
In one embodiment, further include step before generating client temporary key based on the CUSTOMER ID:
Read the salt figure (the additional value added in cryptographic process) of storage.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:Based on CUSTOMER ID and
The salt figure read generates client temporary key.In one specific example, it can be identified with the user input by user of acquisition
Code and the salt figure are input parameter, and the client temporary key is obtained by executing key derivation algorithm.To by introducing salt
Value can be conducive to resist the attack of rainbow table, further strengthen safety.
In one embodiment, further include step before generating client temporary key based on CUSTOMER ID:It reads
The salt figure of storage;And read device hardware parameter, device software parameter and equipment identities mark, based on device hardware parameter,
The device software parameter and equipment identities mark generate device-fingerprint information.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:It is identified based on the user
Code, the salt figure and the device-fingerprint information generate the temporary key.Can be the use with acquisition in one specific example
CUSTOMER ID, device-fingerprint information and salt figure of family input are input parameter, are obtained by executing key derivation algorithm
The client temporary key.
In one embodiment, before generating client temporary key based on the CUSTOMER ID, can also include
Step:Read the random integers of storage.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:Based on CUSTOMER ID, hold
The key derivation algorithm of row random integers time generates client temporary key.To by introducing random integers, be conducive to
The attack of rainbow table is resisted, safety is further strengthened.
In one embodiment, before generating client temporary key based on the CUSTOMER ID, can also include
Step:Read the salt figure and random integers of storage.
At this point, the step of generating client temporary key based on CUSTOMER ID includes:Based on CUSTOMER ID and salt figure,
The key derivation algorithm for executing random integers time generates client temporary key.
It is appreciated that in the case where generating client temporary key using CUSTOMER ID as input parameter, Ke Yishi
Using CUSTOMER ID as input parameter, the key derivation algorithm for executing random integers time generates client temporary key.At one
In embodiment, is having read random integers and be that client is generated as input parameter using CUSTOMER ID and device-fingerprint information
It is to execute the key of random integers time using CUSTOMER ID and device-fingerprint information as input parameter in the case of temporary key
It derives from algorithm and generates client temporary key.In one embodiment, salt figure and random integers are had read at the same time, are based on user
Can be known with the user input by user of acquisition in the case that identification code, salt figure and device-fingerprint information generate temporary key
Other code, device-fingerprint information and the salt figure are input parameter, and the key derivation algorithm for executing random integers time generates client
Temporary key.
In one embodiment, can also include step before above-mentioned acquisition CUSTOMER ID input by user:It obtains
Password authentication information input by user and identifying code;Password authentication information and identifying code are verified, and when being verified, display is used
Family identification code input interface.It is thus possible to using the double authentication of password authentication and identifying code, it is correct in verification,
Just allow to input CUSTOMER ID.In a specific example, the length and character types of password can also be defined, such as
The length of password has to be larger than the first predetermined length, and character types must include capitalization, lowercase and number etc., with
Implement high intensity verification.
It on the other hand, in one embodiment, can also be in continuous first pre-determined number password authentication information and identifying code
It is obstructed out-of-date to verify, and locks the verification password authentication information and identifying code mechanism, that is, limiting not allows user to continue to execute response
Flow, and unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and verification after unlock
Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, and
Second time period is more than first time period, and so on.
Step S4012:The client private key component ciphertext is decrypted using the client temporary key, obtains client
Hold private key component.
When client private key component is decrypted using client temporary key, any possible decryption side can be used
Formula carries out, as long as can be corresponding with cipher mode.Such as the client temporary key can be symmetric key, be faced by client
When key pair client private key component execute symmetrical decryption, obtain client private key component.
In one embodiment, in digital signature procedure, after being digitally signed based on client private key component, also
The copy of the client private key component in memory can be destroyed.To avoid the client private key component in memory copy by other people
The possibility known, to further strengthen safety.
In one embodiment, can also include step before being digitally signed:Service for checking credentials end private key component with
Whether client private key component matches, to avoid unauthorized use server-side private key component.
The following is a detailed description of one of the examples.In this example, it is related to client private key component
Generation, the use of client private key component and the protection of client private key component.
The process for generating client private key component may include following step A1 to step A4.
Step A1:Generate related non-sensitive parameter.Non-sensitive parameter in one embodiment includes salt figure Salt, random whole
Number Rounds and equipment identities identify UUID.
Salt figure Salt:Client available random number generator generates salt figure Salt.
Random integers Rounds:Client available random number generator generates a random integers Rounds, this is random whole
Number Rounds can be used as the iterations of cipher key derivation function KDF.
Equipment identities identify UUID:Client available random number generator generates the equipment identities for identifying equipment identities
Identify UUID.
Salt figure Salt, the random integers Rounds and equipment identities of generation identify UUID, can be stored in user terminal
Non-volatile holographic storage inside the spacing container of client (such as mobile terminal APP (Application, third party application)) is empty
Between.
Step A2:Generate device-fingerprint information MobileID.
When specific implementation, client can slave mobile device client spacing container nonvolatile memory space in read
Take related hardware parameter SysInfo1, hardware parameter SysInfo1 may include CPU (Central Processing Unit,
Central processing unit) hardware parameters such as type, CPU number.
In addition, the related software parameters SysInfo2 of the terminal device at place, software parameters can be read in client
SysInfo2 may include the related software parameters such as OS Type.
In addition, client can slave mobile device client spacing container nonvolatile memory space in read equipment
Identity UUID.
It is appreciated that reading the mistake of hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID
Journey in no particular order sequentially as long as before following specific computing device fingerprint information M obileID, can read hardware
Parameter SysInfo1, software parameters SysInfo2 and equipment identities identify UUID.
It then, will after hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID being concatenated
Parameter after concatenation is as input, and executive summary algorithm calculates device-fingerprint information MobileID, the device-fingerprint information
MobileID can be the information of 256 bits, can be expressed as:
MobileID=Hash (SysInfo1 | | SysInfo2 | | UUID).
Wherein, digest algorithm Hash can be any possible digest algorithm, as MD5 (Message Digest Algorithm 5),
SHA256 (Secure Hash Algorithm, secure hash algorithm), SM3 (a kind of cryptographic Hash algorithm) etc..
Step A3:Generate temporary key TK.
Client shows CUSTOMER ID input interface, prompts user to input CUSTOMER ID (PIN code), and obtain user
The CUSTOMER ID of input.In addition, the nonvolatile memory space of the spacing container of the client of client also slave mobile device
Middle reading salt figure Salt and random integers Rounds.
Then, after CUSTOMER ID (PIN code), salt figure Salt, device-fingerprint information MobileID being concatenated, after concatenation
Information as input parameter, execute random integers Rounds secondary keys and derive from algorithm and obtain temporary key TK, formula can be with table
It is shown as:
TK=KDF (PIN | | Salt | | MobileID, Rounds).
Step A4:It generates client private key component and encrypts storage.
Client generates random number with randomizer, and using the random number as client private key component d1。
Then, client is with client private key component d1As input, executed using temporary key TK as symmetric key
Symmetric encipherment algorithm (such as AES, SM4), to client private key component d1It is encrypted, obtains client private key component ciphertext
SD1.Any encryption mode (such as ECB/CBC/OFB) may be used in specific cipher mode.
The client private key component ciphertext SD1 of acquisition, is stored in the isolation of the client (such as mobile terminal App) of user terminal
Nonvolatile memory space inside container.
During using client private key component, client private key component need to be recovered, to use client private key
Component.The process for recovering client private key component may include following step B1 to step B4.
Step B1:Extracting parameter.
In one specific example, the parameter of extraction may include:Salt figure Salt, random integers Rounds, equipment identities mark
Know UUID and client private key component ciphertext SD1.
Step B2:Extraction equipment fingerprint information M obileID.
When specific implementation, client can slave mobile device client spacing container nonvolatile memory space in read
Related hardware parameter SysInfo1 is taken, and reads the related software parameters SysInfo2 of the terminal device at place, slave mobile device
Client spacing container nonvolatile memory space in read equipment identities identify UUID.
It is appreciated that reading the mistake of hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID
Journey in no particular order sequentially as long as before following specific computing device fingerprint information M obileID, can read hardware
Parameter SysInfo1, software parameters SysInfo2 and equipment identities identify UUID.
It then, will after hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID being concatenated
For parameter after concatenation as input, executive summary algorithm calculates device-fingerprint information MobileID.
Step B3:Generate temporary key TK.
Client shows CUSTOMER ID input interface, prompts user to input CUSTOMER ID (PIN code), and obtain user
The CUSTOMER ID of input.In addition, the nonvolatile memory space of the spacing container of the client of client also slave mobile device
Middle reading salt figure Salt and random integers Rounds.
Then, after CUSTOMER ID (PIN code), salt figure Salt, device-fingerprint information MobileID being concatenated, after concatenation
Information as input parameter, execute random integers Rounds secondary keys and derive from algorithm and obtain temporary key TK, formula can be with table
It is shown as:
TK=KDF (PIN | | Salt | | MobileID, Rounds).
Step B4:Calculate client private key component.
Client is executed using client private key component ciphertext SD1 as input, using temporary key TK as symmetric key
Client private key component ciphertext SD1 is decrypted in the decipherment algorithm (such as AES, SM4) of symmetric cryptography, and it is private to obtain client
Key component d1It is encrypted.
Obtain client private key component d1Afterwards, the processes such as the relevant encryption of the execution, signature, decryption can be used.
Wherein, in order to form the effective protection to private key component, specific implementation when, may be used following corresponding strategies into
Row.
In one embodiment, password authentication can be used in client (such as App) of user's login user terminal
The dual factors of+identifying code are verified, which can be specifically short message verification code.Wherein, password authentication can be assisted using CHAP
The Password Authentication Protocol (such as SRP-6) that view or IEEE P1363 are defined.Under the conditions of verification password is correct, just show
PIN code input interface just allows to input PIN code to call client private key component.
One embodiment wherein can implement authentication policy to the intensity of user password and PIN code, such as require PIN code
Meet condition:One, length are more than the first predetermined length or length within the scope of predetermined length, if length is 8~12 words
Symbol;Secondly, need to include capitalization, lowercase and number simultaneously;Thirdly, pass through preset list and carry out weak passwurd inspection.
In one of the embodiments, after executing collaboration signature algorithm each time, client is destroyed in memory immediately
Client private key component d1Any copy.
Client recovers client private key component d in one of the embodiments,1Later, collaboration signature etc. is being executed
Before step, it need to further verify whether client private key component matches with server-side private key component.Only in matched condition
Under, client private key component d could be used1Signature operation is participated in, to utilize reliable and secure server-side private key component d2Come real
Now the enhancing of user identity is verified.Verifying the specific implementation of private key component pairing, the present embodiment does not limit, such as can be with
With reference to 15843 standards of GB/T.
In password authentication flow, and in the private key component pairing flow in collaboration signature stage, server-side can be real
Apply the abnormality processing measure of authentification failure.The identifying procedure of the first pre-determined number (such as 3 times) mistake is such as continuously performed, then server-side
It limits the user and continues to execute corresponding flow, just allow to continue after forcing it to wait for the first predetermined amount of time (such as 1 minute)
Operation.If continuous second pre-determined number occurs again after unlocking, and (second pre-determined number and the first pre-determined number can be with
Identical, can also be different, can also such as be set as 3 times) certification of mistake, then continue to lock, and the time locked can be added
Times, and so on.If client has successfully completed primary certification, the error lock delaying policy of respective account is released.
In summary content, the scheme of each embodiment of the application as described above, safety is improved by following manner
Energy.
Server-side private key component d is protected by using the cipher machine for meeting safe three-level2Even if having leaked client private
Key component d1, attacker can not also obtain complete private key d.
Client private key component d is generated using the random number generator for meeting the close random number inspection criterion of state1, utilize
The temporary key TK that PIN code derives from carrys out encipherment protection client private key component d1。
By the verification to PIN code intensity, be conducive to resist offline dictionary attack.And by introducing salt figure Salt, random
Integer Rounds is conducive to resist the attack of rainbow table.
During deriving from temporary key TK using PIN code, the KDF algorithms of random integers Rounds times are executed, it will
The considerable execution time is consumed, this implements offline enumerate or dictionary attack increases difficulty to attacker.In the present embodiment side
In case, the space of enumerating of PIN code includes at least 628Kind situation, it is assumed that calculate a KDF iteration and consume 100 milliseconds, then enumerate big
About need 2.2 × 1016Millisecond (~6900th century).
By increasing the verification step of client and the pairing of server-side private key component, the certification to client identity is increased
Intensity, while can be to avoid unauthorized use server-side private key component.
By password is responsible for/user password certification, client and server-side private key component match reciprocity online verification flow
The abnormal implement general plan control measure of mistake so that attacker can not implement online enumerate or dictionary is attacked within the acceptable time
It hits.
The dual factors verification of entry password+short message verification code is used in the client of user's login user terminal.And
The protection PIN of the entry password of user role and certificate and private key is kept completely separate, password is avoided and participates in generation/recovery client
The calculating process of private key component.
As shown in figure 5, the processing system based on distributed private key in one embodiment includes client 1 and server-side 2.
Wherein, by taking client generates the scene of private key component as an example, at this time:
Client 1 generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component
Ciphertext, and send message to server-side;
Server-side 2 receives the message that client 1 is sent, and meets server-side private key component use condition in the message
When, send control instruction to cipher machine, the control instruction carries related information, and the control instruction is indicating the password
Machine generates server-side private key component, the related information packet according to the related information and the symmetric key of the cipher machine
Include server-side platform identification.
With reference to figure 5, in one embodiment, server-side 2 includes server-side communication module 21 and private key component processing control mould
Block 22.
Server-side communication module 21, the message for receiving client transmission.The message that client is sent can be any
Possible message, as long as the message that client is sent can indicate or trigger server-side, execution is related to server-side private key component
Operation.In one embodiment, the message which sends can be close in instruction server-side generation server-side private key
The message sent during key can also be the message sent during executing digital signature or decryption.In difference
Technology scene in, the information for including in the message can be different.
In one embodiment, can only include that can indicate or trigger server-side to hold in the message that client is sent
Row and the relevant operation of server-side private key component.
In one embodiment, may include user identifier in the message that client is sent.To by the message
Include user identifier, server-side can subsequently be based on the user identifier and generate server-side private key point corresponding with the user identifier
Amount, so as to generate different server-side private key components for different users.
In one embodiment, may include key identification in the message that client is sent.To by the message
Include key identification, server-side can subsequently be based on the key identification and generate server-side private key point corresponding with the key identification
Amount, so as to generate different server-side private key components, the different server-side private keys of generation based on different key identifications
Component can use different purposes.
In one embodiment, can also include user identifier and key identification simultaneously in the message that client is sent.
To by the way that including user identifier and key identification, server-side can subsequently be based on the user identifier and key mark within the message
Know, generate corresponding from the user identifier different server-side private key component, the different server-side private key components of generation can be with
For the different purposes corresponding to the user identifier.
Private key component processing and control module 22, for when the message meets server-side private key component use condition, to
Cipher machine sends control instruction, and the control instruction carries related information, and the control instruction is indicating the cipher machine root
According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes clothes
Station identification is held in business level with both hands.
Wherein, which can do different settings, as long as the message can trigger service
It holds to cipher machine and sends above-mentioned control instruction.
As in one embodiment, which can be that client cooperates with the mistake for generating server-side private key component with server-side
Related news in journey.
In another embodiment, which can be the mistake that client cooperates with encryption, signature or decryption with server-side
Related news in journey.For being signed, which can be signature command, which is used to indicate password
Machine generates server-side private key component according to related information and the symmetric key of cipher machine, and based on server-side private key component into
Row digital signature.It is thus possible to during executing digital signature, instruction cipher machine generates server-side private key component.To,
Server-side completes the generating process of server-side private key component, the server where server-side during executing digital signature really
With cipher machine without storing the server-side private key component generated, need to assist with the user of multiple and different user terminals in server-side
In the case of signature, server-side and cipher machine are not necessarily to store the server-side private key component of magnanimity, further improve safety.
In one embodiment, when the message sent in above-mentioned client includes user identifier, which may be used also
To include the user identifier.At this point, be based on the control instruction, cipher machine be based on server-side platform identification, user identifier and
The symmetric key of cipher machine generates server-side private key component.To which server-side can be based on the user identifier and generate and the user
Corresponding server-side private key component is identified, so as to generate different server-side private key components for different users.
In one embodiment, when the message sent in above-mentioned client includes key identification, which also wraps
Include the key identification.At this point, being based on the control instruction, cipher machine is to be based on server-side platform identification, cipher mark and password
The symmetric key of machine generates server-side private key component.To which server-side can generate different clothes based on different key identifications
Business end private key component, the different server-side private key components of generation can use different purposes.
It in one embodiment, should in the message that client is sent while when including user identifier and key identification
Related information also includes the user identifier and key identification simultaneously.At this point, being based on the control instruction, cipher machine is to be based on server-side
The symmetric key of platform identification, user identifier, cipher mark and cipher machine generates server-side private key component.To server-side
It can be based on the user identifier and key identification, generate different server-side private key component corresponding from the user identifier, generated
Different server-side private key components, can be used for the different purposes corresponding to the user identifier.
With reference to figure 5, in one embodiment, server-side 2 further includes:Platform identification generation module 23, it is described for generating
Server-side platform identification.Generation server-side platform identification may be used any possible mode and carry out, such as in one embodiment,
A random number can be generated by random number generator, and using the random number as the server-side platform identification, to reinforce
The randomness of the server-side platform identification of acquisition, with reinforce the server-side private key component generated based on server-side platform identification with
Machine further strengthens safety.It in another embodiment, can be based on the relevant information of server-side, using certain calculation
Method generates the server-side platform identification.
With reference to figure 5, in one embodiment, server-side 2 further includes:Server-side private key copy destroy module 24, for
The cipher machine, which is sent, destroys instruction, described to destroy instruction to indicate that the cipher machine destroys the server-side private key point in memory
Measure copy.To after using server-side private key component each time, all destroy the pair of the server-side private key component in memory
This, avoids the possibility that the server-side private key component copy in memory is obtained by third party, to further strengthen safety.
With reference to figure 5, in one embodiment, server-side 2 further includes:Security permission control module 25, it is described for controlling
Server-side private key component cannot be exported with plaintext version from the cipher machine;And the server-side private key component is controlled, do not allow
It is stored in non-volatile holographic storage component.To further strengthen the protection to server-side private key component, safety is further strengthened
Property.
With reference to figure 5, in one embodiment, for generating the application scenarios of client private key component, client 1 is wrapped
It includes:Client private key component generation module 101, temporary key generation module 102, private key component encrypting module 103 and client
Communication module 104.
Client private key component generation module 101, for generating client private key component.
The generating mode of client private key component is carried out using any possible mode.In one embodiment, Ke Yishi
Random number is generated using randomizer, and using the random number as the client private key component.
Temporary key generation module 102 generates client based on the CUSTOMER ID and faces for obtaining CUSTOMER ID
When key.
The CUSTOMER ID can be PIN (the personal identification of user in one embodiment
Number, personal identification number), which can be based on user and input acquisition.
When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One
Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment
To the client temporary key.
Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes:Device-fingerprint information module 107, for obtaining
Device hardware parameter, device software parameter and equipment identities mark, are joined based on the device hardware parameter, the device software
The several and described equipment identities mark generates device-fingerprint information.
At this point, above-mentioned temporary key generation module 102 is based on the CUSTOMER ID and the device-fingerprint information generates
The temporary key.Can be CUSTOMER ID and the device-fingerprint information input by user with acquisition in one specific example
For input parameter, the client temporary key is obtained by executing key derivation algorithm.
In one embodiment, client 1 further includes:Equipment identities identifier generation module (not shown), with random
Number generator generates equipment identities mark, and stores the equipment identities mark of generation, and equipment identities mark can be stored in
Nonvolatile memory space, to facilitate subsequent applications to be read out in the process.
Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes:Salt figure module 108, for generate salt figure (
The additional value added in cryptographic process), and store the salt figure.The salt figure can be stored in non-volatile holographic storage sky
Between, to facilitate subsequent applications to be read out in the process.
At this point, above-mentioned temporary key generation module 102, can be based on CUSTOMER ID and salt figure generates temporary key.
In one embodiment, refering to what is shown in Fig. 5, client 1 can include device-fingerprint information module 107 and salt figure simultaneously
Module 108.At this point, temporary key generation module 102 with the CUSTOMER ID input by user of acquisition, device-fingerprint information and
The salt figure is input parameter, and the client temporary key is obtained by executing key derivation algorithm.To, by introducing salt figure,
Be conducive to resist the attack of rainbow table, further strengthen safety.
Refering to what is shown in Fig. 5, in one embodiment, client 1 can also include:Random integers module 109, for generating
Random integers, and store the random integers.The random integers can be stored in nonvolatile memory space, subsequently be answered with facilitating
With being read out in the process.
At this point, above-mentioned temporary key generation module 102, can be based on the CUSTOMER ID, execute the random integers
Secondary key derivation algorithm generates the temporary key.To by introducing random integers, resistance rainbow table is conducive to and attacked
It hits, further strengthens safety.
In one embodiment, client 1 can include above equipment finger print information module 107 and random integers mould simultaneously
Block 109 executes at this point, above-mentioned temporary key generation module 102 is using CUSTOMER ID and device-fingerprint information as input parameter
The key derivation algorithm of random integers time generates client temporary key.
In one embodiment, client 1 can also include salt figure module 108 and random integers module 109 simultaneously.This
When, temporary key generation module 102 can be based on the CUSTOMER ID and the salt figure, execute the random integers time
Key derivation algorithm generate the temporary key.
In one embodiment, client 1 can also include device-fingerprint information module 107,108 and of salt figure module simultaneously
Random integers module 109.At this point, temporary key generation module 102, can be based on CUSTOMER ID, device-fingerprint information and
Salt figure, the key derivation algorithm for executing random integers time generate temporary key.
Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes:Password authentication module 106, for obtaining user
The password authentication information and identifying code of input verify the password authentication information and the identifying code, and when being verified, and show
Show CUSTOMER ID input interface.It is thus possible to using the double authentication of password authentication and identifying code, correct situation is being verified
Under, just allow to input CUSTOMER ID.In a specific example, the length and character types of password can also be limited
Fixed, if the length of password has to be larger than the first predetermined length, character types must include capitalization, lowercase and number etc.
Deng to implement high intensity verification.
In one embodiment, password authentication module 106 can also be in continuous first pre-determined number password authentication information and verification
Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, that is, limiting does not allow user to continue to execute sound
The flow answered, and being unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and tested after unlock
It is obstructed out-of-date to demonstrate,prove code verification, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period,
And second time period is more than first time period, and so on.
Private key component encryption/decryption module 103, for using the client temporary key to the client private key component
Encryption obtains client private key component ciphertext.
When client private key component is encrypted using client temporary key, any possible encryption may be used
Mode carries out.Such as client temporary key can be as symmetric key, by client temporary key to client private key
Component executes symmetric cryptography, obtains client private key ciphertext.In one embodiment, the client private key ciphertext of acquisition can preserve
Nonvolatile memory space inside the spacing container of client.
Accordingly, as shown in figure 5, the client can also include client private key ciphertext memory module 105, for storing
State client private key component ciphertext.
Client communication module 104, for sending message to the server-side.
Wherein, the message that client is sent can be any possible message, as long as the message that client is sent can refer to
Show or trigger server-side and executes and the relevant operation of server-side private key component.In one embodiment, which sends
The message can be the message sent during indicating that server-side generates server-side private key, can also be to execute number
The message that word is signed or sent during decrypting.In different technology scenes, the information for including in the message can have
Institute is different.
With reference to figure 5, in one embodiment, by taking the application scenarios of applications client private key component as an example, at this point, based on dividing
The processing system of cloth private key includes client 1 and server-side 2, wherein:
Client 1 obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID
Temporary key is held, and the client private key component ciphertext is decrypted using the client temporary key, it is private to obtain client
Key component, and send message to server-side;
Server-side 2 receives the message that client is sent, and when the message meets server-side private key component use condition,
Control instruction is sent to cipher machine, and the control instruction carries related information, and the control instruction is indicating the cipher machine
According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes
Server-side platform identification.The structure of the server-side 2 can be identical as the structure generated in client private key component scene.
At this point, client 1 includes:Client private key ciphertext memory module 105, temporary key generation module 102, private key point
Measure deciphering module 112 and above-mentioned client communication module 104.
Client private key ciphertext memory module 105, for storing client private key ciphertext.It can be specifically the above-mentioned private of storage
The client private key ciphertext that key component encrypting module 103 obtains.
Temporary key generation module 102 generates client based on the CUSTOMER ID and faces for obtaining CUSTOMER ID
When key.
The CUSTOMER ID can be PIN (the personal identification of user in one embodiment
Number, personal identification number), which can be based on user and input acquisition.
When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One
Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment
To the client temporary key.
Refering to what is shown in Fig. 5, in one embodiment, it, should when above-mentioned client 1 includes device-fingerprint information module 107
Device-fingerprint information module 107 can read device hardware parameter, device software parameter and equipment identities mark, based on described
Device hardware parameter, the device software parameter and equipment identities mark generate device-fingerprint information.
At this point, above-mentioned temporary key generation module 102 is based on the CUSTOMER ID and the device-fingerprint information generates
The temporary key.Can be CUSTOMER ID and the device-fingerprint information input by user with acquisition in one specific example
For input parameter, the client temporary key is obtained by executing key derivation algorithm.
Refering to what is shown in Fig. 5, in one embodiment, when client 1 includes salt figure module 108, the salt figure module 108 is also
Read the salt figure of storage.At this point, above-mentioned temporary key generation module 102, can be based on the CUSTOMER ID and the salt figure
Generate the temporary key.
In one embodiment, refering to what is shown in Fig. 5, including 107 He of above equipment finger print information module simultaneously in client 1
When salt figure module 108, above-mentioned temporary key generation module 102 is believed with the CUSTOMER ID input by user of reading, device-fingerprint
Breath and the salt figure are input parameter, and the client temporary key is obtained by executing key derivation algorithm.To pass through introducing
Salt figure can be conducive to resist the attack of rainbow table, further strengthen safety.
Refering to what is shown in Fig. 5, in one embodiment, when client 1 includes random integers module 109, the random integers
Module 109 also reads the random integers of storage.At this point, above-mentioned temporary key generation module 102, can be based on the user and identify
Code, the key derivation algorithm for executing random integers time generate the temporary key.To by introducing random integers, Ke Yiyou
Conducive to the attack of rainbow table is resisted, safety is further strengthened.
It is appreciated that in one embodiment, in client 1 simultaneously including above equipment finger print information module 107 and with
When machine integer module 109, it is that input is joined that above-mentioned temporary key generation module 102, which is with CUSTOMER ID and device-fingerprint information,
Number, the key derivation algorithm for executing random integers time generate client temporary key.Include salt figure module simultaneously in client 1
108 and when random integers module 109, temporary key generation module 102 can be based on the CUSTOMER ID and the salt figure,
The key derivation algorithm for executing the random integers time generates the temporary key.Believe simultaneously including device-fingerprint in client 1
When ceasing module 107, salt figure module 108 and random integers module 109, temporary key generation module 102 can be based on user and identify
Code, device-fingerprint information and the salt figure, the key derivation algorithm for executing the random integers time generate the temporary key.
Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes:Password authentication module 106, for obtaining user
The password authentication information and identifying code of input verify the password authentication information and the identifying code, and when being verified, and show
Show CUSTOMER ID input interface.
On the other hand, password authentication module 106 can also be in continuous first pre-determined number password authentication information and identifying code
It is obstructed out-of-date to verify, and locks the verification password authentication information and identifying code mechanism, that is, limiting not allows user to continue to execute response
Flow, and unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and verification after unlock
Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, and
Second time period is more than first time period, and so on.
Private key component deciphering module 112, for reading the client private key ciphertext, and it is temporarily close using the client
Key decrypts the client private key component ciphertext, obtains client private key component.
When client private key component is decrypted using client temporary key, any possible encryption may be used
Mode carries out, as long as it is all right to be mapped with cipher mode.Such as client temporary key can be as symmetric key,
Symmetrical decryption is executed to client private key component by client temporary key, obtains client private key component.
With reference to figure 5, in one embodiment, client 1 further includes:Client private key copy destroys module 110, in number
In word signature process, after being digitally signed based on the client private key component, the client private key point in memory is destroyed
The copy of amount.So as to the possibility for avoiding the copy of the client private key component in memory from being known by other people, with further
Reinforce safety.
With reference to figure 5, in one embodiment, client 1 further includes:Client private key component matches authentication module 111, is used for
Whether matched with client private key component with the server-side co-verification server-side private key component.It is unauthorized so as to avoid
Use server-side private key component
Based on example as described above, a kind of computer equipment is also provided in one embodiment, the computer equipment packet
Memory and processor are included, computer program is stored on the memory, wherein processor is realized as above when executing described program
The method for stating any one embodiment in each embodiment.
Fig. 6 shows the internal structure chart of one embodiment Computer equipment.On the computer equipment can be specifically
State the equipment one and equipment two involved in environment.As shown in fig. 6, the computer equipment includes the processing connected by system bus
Device, memory, network interface.Can also include input unit in the case where the computer equipment is user terminal.Wherein,
Memory includes non-volatile memory medium and built-in storage.The non-volatile memory medium of the computer equipment is stored with operation
System can also be stored with computer program, when which is executed by processor, processor may make to realize based on distribution
The processing method of formula private key.Also computer program can be stored in the built-in storage, when which is executed by processor,
Processor may make to execute the processing method based on distributed private key.
It will be understood by those skilled in the art that structure shown in Fig. 6, is only tied with the relevant part of application scheme
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
May include either combining certain components than more or fewer components as shown in the figure or being arranged with different components.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, Ke Yitong
It crosses computer program and is completed to instruct relevant hardware, which, which can be stored in a non-volatile computer storage can be read, is situated between
In matter, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, each reality provided herein
Apply any reference to memory, storage, database or other media used in example, may each comprise it is non-volatile and/or
Volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM (PROM), electrically programmable ROM
(EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include random access memory (RAM)
Or external cache.By way of illustration and not limitation, RAM is available in many forms, such as static state RAM (SRAM),
It is dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhanced SDRAM (ESDRAM), same
Walk link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) directly RAM (RDRAM), direct memory bus
Dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Accordingly, a kind of computer storage media is also provided in one embodiment, is stored thereon with computer program, the meter
The method such as any one embodiment in the various embodiments described above is realized when calculation machine program is executed by processor.
Each technical characteristic of embodiment described above can be combined arbitrarily, to keep description succinct, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, it is all considered to be the range of this specification record.
Claims (24)
1. a kind of processing method based on distributed private key, which is characterized in that the method includes the steps:
Receive the message that client is sent;
When the message meets server-side private key component use condition, control instruction, the control instruction are sent to cipher machine
Related information is carried, the control instruction is indicating the cipher machine according to the related information and pair of the cipher machine
Claim key, generates server-side private key component, the related information includes server-side platform identification.
2. according to the method described in claim 1, it is characterised in that it includes it is following it is every at least one of:
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, the signature command be used to indicate the cipher machine according to the related information and
The symmetric key of the cipher machine is generated server-side private key component, and is digitally signed based on the server-side private key component;
It is sent to the cipher machine and destroys instruction, it is described to destroy instruction to indicate that the cipher machine destroys the server-side in memory
Private key component copy;
Further include step before sending control instruction to cipher machine:Generate the server-side platform identification;
The server-side private key component cannot be exported with plaintext version from the cipher machine;
The server-side private key component does not allow to be stored in non-volatile holographic storage component.
3. a kind of processing method based on distributed private key, which is characterized in that the method includes the steps:
Client generates client private key component, obtains CUSTOMER ID, and it is interim to generate client based on the CUSTOMER ID
Key, and the client private key component is encrypted using the client temporary key, client private key component ciphertext is obtained,
And send message to server-side;
Server-side receives the message that client is sent, and when the message meets server-side private key component use condition, Xiang Mi
Ink recorder sends control instruction, and the control instruction carries related information, the control instruction to indicate the cipher machine according to
The symmetric key of the related information and the cipher machine, generates server-side private key component, and the related information includes service
Hold station identification level with both hands.
4. according to the method described in claim 3, it is characterised in that it includes it is following it is every at least one of:
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, the signature command be used to indicate the cipher machine according to the related information and
The symmetric key of the cipher machine is generated server-side private key component, and is digitally signed based on the server-side private key component;
It is sent to the cipher machine and destroys instruction, it is described to destroy instruction to indicate that the cipher machine destroys the server-side in memory
Private key component copy;
Further include step before sending control instruction to cipher machine:Generate the server-side platform identification;
The server-side private key component cannot be exported with plaintext version from the cipher machine;
The server-side private key component does not allow to be stored in non-volatile holographic storage component.
5. according to the method described in claim 3, it is characterised in that it includes it is following it is every in any one:
First item:
The client further includes step before obtaining CUSTOMER ID input by user:Obtain device hardware parameter, equipment
Software parameters and equipment identities mark, are based on the device hardware parameter, the device software parameter and the equipment body
Part mark generates device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the device-fingerprint information generate the temporary key;
Section 2:
The client further includes step before obtaining CUSTOMER ID input by user:Salt figure is generated, and stores the salt
Value;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the salt figure generate the temporary key;
Section 3:
The client further includes step before obtaining CUSTOMER ID input by user:Salt figure is generated, the salt is stored
Value;And device hardware parameter, device software parameter and equipment identities mark are obtained, based on the device hardware parameter, described
Device software parameter and equipment identities mark generate device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the salt figure and the device-fingerprint information generate the temporary key;
Section 4:
The client further includes step before obtaining CUSTOMER ID input by user:Random integers are generated, and store institute
State random integers;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 5:
The client further includes step before obtaining CUSTOMER ID input by user:Salt figure and random integers are generated, and
Store the salt figure and the random integers;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the salt figure, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 6:
The client further includes step before obtaining CUSTOMER ID input by user:Random integers are generated, and obtains and sets
Standby hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, the device software parameter
And the equipment identities mark generates device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the device-fingerprint information, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 7:
The client further includes step before obtaining CUSTOMER ID input by user:Salt figure and random integers are generated, and
Store the salt figure and the random integers;And obtain device hardware parameter, device software parameter and equipment identities mark, base
It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the salt figure and the device-fingerprint information, the key derivation algorithm generation for executing the random integers time are described interim close
Key.
At least one of 6. according to the method described in claim 3 to 5 any one, which is characterized in that in including following items:
First item:
The client further includes step before obtaining CUSTOMER ID input by user:
Obtain password authentication information input by user and identifying code;
The password authentication information and the identifying code are verified, and when being verified, shows CUSTOMER ID input interface;
Section 2:
In digital signature procedure, the client based on the client private key component after being digitally signed, in destruction
The copy of client private key component in depositing;
Section 3:
Before being digitally signed, the client is private with client with the server-side co-verification server-side private key component
Whether key component matches.
7. a kind of processing method based on distributed private key, which is characterized in that the method includes the steps:
Client obtains CUSTOMER ID and client private key component ciphertext, and it is interim to generate client based on the CUSTOMER ID
Key, and the client private key component ciphertext is decrypted using the client temporary key, client private key component is obtained,
And send message to server-side;
Server-side receives the message that client is sent, and when the message meets server-side private key component use condition, Xiang Mi
Ink recorder sends control instruction, and the control instruction carries related information, the control instruction to indicate the cipher machine according to
The symmetric key of the related information and the cipher machine, generates server-side private key component, and the related information includes service
Hold station identification level with both hands.
8. the method according to the description of claim 7 is characterized in that at least one in including following items:
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, the signature command be used to indicate the cipher machine according to the related information and
The symmetric key of the cipher machine is generated server-side private key component, and is digitally signed based on the server-side private key component;
It is sent to the cipher machine and destroys instruction, it is described to destroy instruction to indicate that the cipher machine destroys the server-side in memory
Private key component copy;
Further include step before sending control instruction to cipher machine:Generate the server-side platform identification;
The server-side private key component cannot be exported with plaintext version from the cipher machine;
The server-side private key component does not allow to be stored in non-volatile holographic storage component.
9. the method according to the description of claim 7 is characterized in that any one in including following items:
First item:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read equipment
Hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, the device software parameter with
And the equipment identities mark generates device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the device-fingerprint information generate the temporary key;
Section 2:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Salt figure;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the salt figure generate the temporary key;
Section 3:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Salt figure;And read device hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter,
The device software parameter and equipment identities mark generate device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the salt figure and the device-fingerprint information generate the temporary key;
Section 4:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Random integers;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 5:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Salt figure and random integers;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the salt figure, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 6:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Random integers, and read device hardware parameter, device software parameter and equipment identities mark, based on the device hardware join
Several, the described device software parameter and equipment identities mark generate device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the device-fingerprint information, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 7:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Salt figure and random integers;And device hardware parameter, device software parameter and equipment identities mark are obtained, it is based on the equipment
Hardware parameter, the device software parameter and equipment identities mark generate device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the salt figure and the device-fingerprint information, the key derivation algorithm generation for executing the random integers time are described interim close
Key.
10. according to the method described in claim 7 to 9 any one, which is characterized in that at least one in including following items
:
First item:
The client further includes step before obtaining CUSTOMER ID input by user:
Obtain password authentication information input by user and identifying code;
The password authentication information and the identifying code are verified, and when being verified, shows CUSTOMER ID input interface;
Section 2:
In digital signature procedure, the client based on the client private key component after being digitally signed, in destruction
The copy of client private key component in depositing;
Section 3:
Before being digitally signed, the client is private with client with the server-side co-verification server-side private key component
Whether key component matches.
11. a kind of processing system based on distributed private key, which is characterized in that the system comprises clients and server-side;
The client generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component
Ciphertext, and send message to server-side;
The server-side receives the message that client is sent, and when the message meets server-side private key component use condition,
Control instruction is sent to cipher machine, and the control instruction carries related information, and the control instruction is indicating the cipher machine
According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes
Server-side platform identification.
12. system according to claim 11, which is characterized in that the server-side includes:
Server-side communication module, the message for receiving client transmission;
Private key component processing and control module, for when the message meets server-side private key component use condition, to cipher machine
Send control instruction, the control instruction carries related information, and the control instruction is indicating the cipher machine according to
The symmetric key of related information and the cipher machine, generates server-side private key component, and the related information is held level with both hands including service
Station identification.
At least one of 13. system according to claim 12, which is characterized in that in including following items:
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, the signature command be used to indicate the cipher machine according to the related information and
The symmetric key of the cipher machine is generated server-side private key component, and is digitally signed based on the server-side private key component;
The server-side further includes:Server-side private key copy destroys module, and instruction is destroyed for being sent to the cipher machine, described
Instruction is destroyed to indicate that the cipher machine destroys the server-side private key component copy in memory;
The server-side further includes:Platform identification generation module, for generating the server-side platform identification;
The server-side further includes:Security permission control module, cannot be with plaintext shape for controlling the server-side private key component
Formula is exported from the cipher machine;And the server-side private key component is controlled, do not allow to be stored in non-volatile holographic storage component.
14. system according to claim 11, which is characterized in that the client includes:
Client private key component generation module, for generating client private key component;
Temporary key generation module generates client temporary key for obtaining CUSTOMER ID based on the CUSTOMER ID;
Private key component encrypting module is obtained for being encrypted to the client private key component using the client temporary key
Client private key component ciphertext;
Client communication module, for sending message to the server-side.
15. system according to claim 14, which is characterized in that any one in including following items:
First item:
The client further includes:Device-fingerprint information module, for obtaining device hardware parameter, device software parameter and setting
Standby identity generates equipment based on the device hardware parameter, the device software parameter and equipment identities mark
Finger print information;
The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information generates the temporary key;
Section 2:
The client further includes:Salt figure module for generating salt figure, and stores the salt figure;
The temporary key generation module is based on the CUSTOMER ID and the salt figure generates the temporary key;
Section 3:
The client further includes device-fingerprint information module and salt figure module;
The device-fingerprint information module, for obtaining device hardware parameter, device software parameter and equipment identities mark, base
It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information;
The salt figure module for generating salt figure, and stores the salt figure;
The temporary key generation module is based on described in the CUSTOMER ID, the salt figure and device-fingerprint information generation
Temporary key;
Section 4:
The client further includes:Random integers module for generating random integers, and stores the random integers;
The temporary key generation module is based on the CUSTOMER ID, executes the key derivation algorithm life of the random integers time
At the temporary key;
Section 5:
The client further includes:Random integers module and device-fingerprint information module;
Random integers module for generating random integers, and stores the random integers;
Device-fingerprint information module is based on institute for obtaining device hardware parameter, device software parameter and equipment identities mark
It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information;
The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information, executes the random integers
Secondary key derivation algorithm generates the temporary key;
Section 6:
The client further includes:Random integers module and salt figure module;
Random integers module for generating random integers, and stores the random integers;
Salt figure module for generating salt figure, and stores the salt figure;
The temporary key generation module is based on the CUSTOMER ID and the salt figure, executes the key of the random integers time
It derives from algorithm and generates the temporary key;
Section 7:
The client further includes:Random integers module, device-fingerprint information module and salt figure module;
Random integers module for generating random integers, and stores the random integers;
Device-fingerprint information module is based on institute for obtaining device hardware parameter, device software parameter and equipment identities mark
It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information;
Salt figure module for generating salt figure, and stores the salt figure;
The temporary key generation module is based on the CUSTOMER ID, the salt figure and the device-fingerprint information, executes institute
The key derivation algorithm for stating random integers time generates the temporary key.
16. according to the system described in claim 13 to 15 any one, which is characterized in that at least one in including following items
:
First item:
The client further includes:Password authentication module is verified for obtaining password authentication information input by user and identifying code
The password authentication information and the identifying code, and when being verified, show CUSTOMER ID input interface;
Section 2:
The client further includes:Client private key copy destroys module, is used in digital signature procedure, based on the visitor
After family end private key component is digitally signed, the copy of the client private key component in memory is destroyed;
Section 3:
The client further includes:Client private key component matches authentication module, is used for and the server-side co-verification service
Whether end private key component matches with client private key component.
17. a kind of processing system based on distributed private key, which is characterized in that the system comprises clients and server-side;
The client obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component ciphertext is decrypted using the client temporary key, obtain client private key
Component, and send message to server-side;
The server-side receives the message that client is sent, and when the message meets server-side private key component use condition,
Control instruction is sent to cipher machine, and the control instruction carries related information, and the control instruction is indicating the cipher machine
According to the related information and the symmetric key of the cipher machine, server-side private key component is generated, the related information includes
Server-side platform identification.
18. system according to claim 17, which is characterized in that the server-side includes:
Server-side communication module, the message for receiving client transmission;
Private key component processing and control module, for when the message meets server-side private key component use condition, to cipher machine
Send control instruction, the control instruction carries related information, and the control instruction is indicating the cipher machine according to
The symmetric key of related information and the cipher machine, generates server-side private key component, and the related information is held level with both hands including service
Station identification.
At least one of 19. system according to claim 18, which is characterized in that in including following items:
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, the signature command be used to indicate the cipher machine according to the related information and
The symmetric key of the cipher machine is generated server-side private key component, and is digitally signed based on the server-side private key component;
The server-side further includes:Server-side private key copy destroys module, and instruction is destroyed for being sent to the cipher machine, described
Instruction is destroyed to indicate that the cipher machine destroys the server-side private key component copy in memory;
The server-side further includes:Platform identification generation module, for generating the server-side platform identification;
The server-side further includes:Security permission control module, cannot be with plaintext shape for controlling the server-side private key component
Formula is exported from the cipher machine;And the server-side private key component is controlled, do not allow to be stored in non-volatile holographic storage component.
20. system according to claim 17, which is characterized in that the client includes:
Client private key ciphertext memory module, for storing client private key ciphertext;
Temporary key generation module generates client temporary key for obtaining CUSTOMER ID based on the CUSTOMER ID;
Private key component deciphering module, for reading the client private key ciphertext, and using the client temporary key to institute
The decryption of client private key component ciphertext is stated, client private key component is obtained;
Client communication module, for sending message to the server-side.
21. system according to claim 20, which is characterized in that any one in including following items:
First item:
The client further includes:Device-fingerprint information module, for reading device hardware parameter, device software parameter and setting
Standby identity generates equipment based on the device hardware parameter, the device software parameter and equipment identities mark
Finger print information;
The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information generates the temporary key;
Section 2:
The client further includes:Salt figure module, the salt figure for reading storage;
The temporary key generation module is based on the CUSTOMER ID and the salt figure generates the temporary key;
Section 3:
The client further includes device-fingerprint information module and salt figure module;
The device-fingerprint information module, for reading device hardware parameter, device software parameter and equipment identities mark, base
It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information;
The salt figure module, the salt figure for reading storage;
The temporary key generation module is based on described in the CUSTOMER ID, the salt figure and device-fingerprint information generation
Temporary key;
Section 4:
The client further includes:Random integers module, the random integers for reading storage;
The temporary key generation module is based on the CUSTOMER ID, executes the key derivation algorithm life of the random integers time
At the temporary key;
Section 5:
The client further includes:Random integers module and device-fingerprint information module;
Random integers module, the random integers for reading storage;
Device-fingerprint information module is based on institute for reading device hardware parameter, device software parameter and equipment identities mark
It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information;
The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information, executes the random integers
Secondary key derivation algorithm generates the temporary key;
Section 6:
The client further includes:Random integers module and salt figure module;
Random integers module, the random integers for reading storage;
Salt figure module, the salt figure for reading storage;
The temporary key generation module is based on the CUSTOMER ID and the salt figure, executes the key of the random integers time
It derives from algorithm and generates the temporary key;
Section 7:
The client further includes:Random integers module, device-fingerprint information module and salt figure module;
Random integers module, the random integers for reading storage;
Device-fingerprint information module is based on institute for reading device hardware parameter, device software parameter and equipment identities mark
It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information;
Salt figure module, the salt figure for reading storage;
The temporary key generation module is based on the CUSTOMER ID, the salt figure and the device-fingerprint information, executes institute
The key derivation algorithm for stating random integers time generates the temporary key.
22. according to the system described in claim 19 to 21 any one, which is characterized in that at least one in including following items
:
First item:The client further includes:Password authentication module, for obtaining password authentication information input by user and verification
Code, verifies the password authentication information and the identifying code, and when being verified, and shows CUSTOMER ID input interface;
Section 2:
The client further includes:Client private key copy destroys module, is used in digital signature procedure, based on the visitor
After family end private key component is digitally signed, the copy of the client private key component in memory is destroyed;
Section 3:
The client further includes:Client private key component matches authentication module, is used for and the server-side co-verification service
Whether end private key component matches with client private key component.
23. a kind of computer equipment, including memory and processor are stored with computer program, feature on the memory
It is, the step of processor realizes method as claimed in claim 1 or 2 when executing the computer program, or realizes
The processing step of client or server-side in the method for any one of claim 3 to 10.
24. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The step of method as claimed in claim 1 or 2 is realized when execution, or realize the method for any one of claim 3 to 10
In client or server-side processing step.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810220635.0A CN108471352B (en) | 2018-03-16 | 2018-03-16 | Processing method, system, computer equipment and storage medium based on distributed private key |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810220635.0A CN108471352B (en) | 2018-03-16 | 2018-03-16 | Processing method, system, computer equipment and storage medium based on distributed private key |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108471352A true CN108471352A (en) | 2018-08-31 |
CN108471352B CN108471352B (en) | 2022-03-04 |
Family
ID=63264478
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810220635.0A Active CN108471352B (en) | 2018-03-16 | 2018-03-16 | Processing method, system, computer equipment and storage medium based on distributed private key |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108471352B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109861816A (en) * | 2019-02-22 | 2019-06-07 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
CN110098928A (en) * | 2019-05-08 | 2019-08-06 | 国家电网有限公司 | A kind of key generation method and device of collaboration signature |
CN111598573A (en) * | 2020-04-10 | 2020-08-28 | 维沃移动通信有限公司 | Equipment fingerprint verification method and device |
WO2021105797A1 (en) * | 2019-11-25 | 2021-06-03 | International Business Machines Corpofiation | Managing physical objects using crypto-anchors |
CN113300841A (en) * | 2021-05-25 | 2021-08-24 | 贵州大学 | Identity-based collaborative signature method and system |
CN113572611A (en) * | 2021-09-27 | 2021-10-29 | 渔翁信息技术股份有限公司 | Key processing method and device and electronic device |
CN114065241A (en) * | 2021-11-11 | 2022-02-18 | 北京海泰方圆科技股份有限公司 | Key safety processing system, method, equipment and medium |
US11397760B2 (en) | 2019-11-25 | 2022-07-26 | International Business Machines Corporation | Managing relationships between persons and physical objects based on physical fingerprints of the physical objects |
CN115268793A (en) * | 2022-08-03 | 2022-11-01 | 中国电子科技集团公司信息科学研究院 | Data safety deleting method based on data encryption and overwriting |
CN116032655A (en) * | 2023-02-13 | 2023-04-28 | 杭州天谷信息科技有限公司 | Identity authentication method and system capable of resisting timing attack |
Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1365214A (en) * | 2001-01-09 | 2002-08-21 | 深圳市中兴集成电路设计有限责任公司 | Cipher key managing method based on public cipher key system |
CN101447870A (en) * | 2008-12-25 | 2009-06-03 | 中国电子科技集团公司第五十四研究所 | Safe storage method of private key based on technology of distributed password |
CN102377564A (en) * | 2011-11-15 | 2012-03-14 | 华为技术有限公司 | Method and device for encrypting private key |
US20130191632A1 (en) * | 2012-01-25 | 2013-07-25 | Certivox, Ltd. | System and method for securing private keys issued from distributed private key generator (d-pkg) nodes |
CN104660397A (en) * | 2013-11-18 | 2015-05-27 | 卓望数码技术(深圳)有限公司 | Secret key managing method and system |
US20160132682A1 (en) * | 2008-04-28 | 2016-05-12 | Novell, Inc. | Techniques for secure data management in a distributed environment |
WO2016149213A1 (en) * | 2015-03-13 | 2016-09-22 | Fornetix Llc | Server-client key escrow for applied key management system and process |
US9515996B1 (en) * | 2013-06-28 | 2016-12-06 | EMC IP Holding Company LLC | Distributed password-based authentication in a public key cryptography authentication system |
CN106452764A (en) * | 2016-12-02 | 2017-02-22 | 武汉理工大学 | Method for automatically updating identification private key and password system |
CN106789080A (en) * | 2016-04-08 | 2017-05-31 | 数安时代科技股份有限公司 | digital signature generation method and system |
US20170272242A1 (en) * | 2016-03-17 | 2017-09-21 | Christopher F. Morrell | Process and system for establishing a moving target connection for secure communications in client/server systems |
CN107302438A (en) * | 2017-08-07 | 2017-10-27 | 收付宝科技有限公司 | A kind of private key protection method based on key updating, system and device |
CN107370599A (en) * | 2017-08-07 | 2017-11-21 | 收付宝科技有限公司 | A kind of management method, the device and system of remote destroying private key |
US20170338958A1 (en) * | 2016-05-19 | 2017-11-23 | Arris Enterprises Llc | Implicit rsa certificates |
WO2017214380A1 (en) * | 2016-06-08 | 2017-12-14 | University Of Florida Research Foundation, Incorporated | Practical end-to-end cryptographic authentication for telephony over voice channels |
CN107689869A (en) * | 2016-08-05 | 2018-02-13 | 华为技术有限公司 | The method and server of user password management |
-
2018
- 2018-03-16 CN CN201810220635.0A patent/CN108471352B/en active Active
Patent Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1365214A (en) * | 2001-01-09 | 2002-08-21 | 深圳市中兴集成电路设计有限责任公司 | Cipher key managing method based on public cipher key system |
US20160132682A1 (en) * | 2008-04-28 | 2016-05-12 | Novell, Inc. | Techniques for secure data management in a distributed environment |
CN101447870A (en) * | 2008-12-25 | 2009-06-03 | 中国电子科技集团公司第五十四研究所 | Safe storage method of private key based on technology of distributed password |
CN102377564A (en) * | 2011-11-15 | 2012-03-14 | 华为技术有限公司 | Method and device for encrypting private key |
US20130191632A1 (en) * | 2012-01-25 | 2013-07-25 | Certivox, Ltd. | System and method for securing private keys issued from distributed private key generator (d-pkg) nodes |
US9515996B1 (en) * | 2013-06-28 | 2016-12-06 | EMC IP Holding Company LLC | Distributed password-based authentication in a public key cryptography authentication system |
CN104660397A (en) * | 2013-11-18 | 2015-05-27 | 卓望数码技术(深圳)有限公司 | Secret key managing method and system |
WO2016149213A1 (en) * | 2015-03-13 | 2016-09-22 | Fornetix Llc | Server-client key escrow for applied key management system and process |
US20170272242A1 (en) * | 2016-03-17 | 2017-09-21 | Christopher F. Morrell | Process and system for establishing a moving target connection for secure communications in client/server systems |
CN106789080A (en) * | 2016-04-08 | 2017-05-31 | 数安时代科技股份有限公司 | digital signature generation method and system |
US20170338958A1 (en) * | 2016-05-19 | 2017-11-23 | Arris Enterprises Llc | Implicit rsa certificates |
WO2017214380A1 (en) * | 2016-06-08 | 2017-12-14 | University Of Florida Research Foundation, Incorporated | Practical end-to-end cryptographic authentication for telephony over voice channels |
CN107689869A (en) * | 2016-08-05 | 2018-02-13 | 华为技术有限公司 | The method and server of user password management |
CN106452764A (en) * | 2016-12-02 | 2017-02-22 | 武汉理工大学 | Method for automatically updating identification private key and password system |
CN107370599A (en) * | 2017-08-07 | 2017-11-21 | 收付宝科技有限公司 | A kind of management method, the device and system of remote destroying private key |
CN107302438A (en) * | 2017-08-07 | 2017-10-27 | 收付宝科技有限公司 | A kind of private key protection method based on key updating, system and device |
Non-Patent Citations (2)
Title |
---|
A. DOHERTY; RSA等: "Dynamic Symmetric Key Provisioning Protocol (DSKPP)", 《IETF 》 * |
潘恒等: "一种新的私钥安全存取方案", 《计算机应用研究》 * |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109861816A (en) * | 2019-02-22 | 2019-06-07 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
CN110098928A (en) * | 2019-05-08 | 2019-08-06 | 国家电网有限公司 | A kind of key generation method and device of collaboration signature |
CN110098928B (en) * | 2019-05-08 | 2022-02-25 | 国家电网有限公司 | Key generation method and device for collaborative signature |
US11798342B2 (en) | 2019-11-25 | 2023-10-24 | International Business Machines Corporation | Managing physical objects using crypto-anchors |
WO2021105797A1 (en) * | 2019-11-25 | 2021-06-03 | International Business Machines Corpofiation | Managing physical objects using crypto-anchors |
CN114830599B (en) * | 2019-11-25 | 2024-05-03 | 国际商业机器公司 | Managing physical objects using encryption anchors |
US11397760B2 (en) | 2019-11-25 | 2022-07-26 | International Business Machines Corporation | Managing relationships between persons and physical objects based on physical fingerprints of the physical objects |
CN114830599A (en) * | 2019-11-25 | 2022-07-29 | 国际商业机器公司 | Managing physical objects using encrypted anchors |
GB2604565A (en) * | 2019-11-25 | 2022-09-07 | Ibm | Managing physical objects using crypto-anchors |
CN111598573A (en) * | 2020-04-10 | 2020-08-28 | 维沃移动通信有限公司 | Equipment fingerprint verification method and device |
CN111598573B (en) * | 2020-04-10 | 2023-10-31 | 维沃移动通信有限公司 | Equipment fingerprint verification method and device |
CN113300841A (en) * | 2021-05-25 | 2021-08-24 | 贵州大学 | Identity-based collaborative signature method and system |
CN113300841B (en) * | 2021-05-25 | 2022-11-25 | 贵州大学 | Identity-based collaborative signature method and system |
CN113572611A (en) * | 2021-09-27 | 2021-10-29 | 渔翁信息技术股份有限公司 | Key processing method and device and electronic device |
CN114065241A (en) * | 2021-11-11 | 2022-02-18 | 北京海泰方圆科技股份有限公司 | Key safety processing system, method, equipment and medium |
CN115268793A (en) * | 2022-08-03 | 2022-11-01 | 中国电子科技集团公司信息科学研究院 | Data safety deleting method based on data encryption and overwriting |
CN116032655A (en) * | 2023-02-13 | 2023-04-28 | 杭州天谷信息科技有限公司 | Identity authentication method and system capable of resisting timing attack |
Also Published As
Publication number | Publication date |
---|---|
CN108471352B (en) | 2022-03-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108494551A (en) | Processing method, system, computer equipment and storage medium based on collaboration key | |
CN108471352A (en) | Processing method, system, computer equipment based on distributed private key and storage medium | |
US8516268B2 (en) | Secure field-programmable gate array (FPGA) architecture | |
EP2020797B1 (en) | Client-server Opaque token passing apparatus and method | |
EP2204008B1 (en) | Credential provisioning | |
He et al. | A social-network-based cryptocurrency wallet-management scheme | |
CN109728903B (en) | Block chain weak center password authorization method using attribute password | |
CN108737442A (en) | A kind of cryptographic check processing method | |
CN101515319B (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
CN107920052B (en) | Encryption method and intelligent device | |
JPH05216410A (en) | Method and computer apparatus for reproducing cryptographic function | |
CN111740995B (en) | Authorization authentication method and related device | |
CN107453880A (en) | A kind of cloud secure storage method of data and system | |
JP2022540653A (en) | Data protection and recovery system and method | |
CN114765543B (en) | Encryption communication method and system of quantum cryptography network expansion equipment | |
CN108199847A (en) | Security processing method, computer equipment and storage medium | |
CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
US20130166911A1 (en) | Implementation process for the use of cryptographic data of a user stored in a data base | |
CN110557367A (en) | Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography | |
US20200092096A1 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
Xia et al. | Design of secure FTP system | |
EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
CN110768792B (en) | Main key generation method, device and encryption and decryption method for sensitive security parameters | |
KR102539418B1 (en) | Apparatus and method for mutual authentication based on physical unclonable function | |
CN110535632B (en) | Quantum communication service station AKA key negotiation method and system based on asymmetric key pool pair and DH protocol |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |