CN108494551A - Processing method, system, computer equipment and storage medium based on collaboration key - Google Patents
Processing method, system, computer equipment and storage medium based on collaboration key Download PDFInfo
- Publication number
- CN108494551A CN108494551A CN201810220849.8A CN201810220849A CN108494551A CN 108494551 A CN108494551 A CN 108494551A CN 201810220849 A CN201810220849 A CN 201810220849A CN 108494551 A CN108494551 A CN 108494551A
- Authority
- CN
- China
- Prior art keywords
- client
- customer
- server
- private key
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0866—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
This application involves a kind of processing method, computer equipment and computer storage media based on collaboration key, the processing method based on collaboration key of one embodiment includes:CUSTOMER ID is obtained, client temporary key is generated based on the CUSTOMER ID;Generate client private key component;The client private key component is encrypted using the client temporary key, obtains client private key component ciphertext.The client private key component of generation is encrypted in the temporary key that this embodiment scheme is derived from by CUSTOMER ID; it forms and the possibility that storage key is illegally obtained by third party is avoided to the effective protection of client private key component, strengthen the safety of the private key component of distributed private key.
Description
Technical field
This application involves technical field of cryptology, more particularly to a kind of processing method based on collaboration key, based on association
With the processing system of key, computer equipment and computer storage media.
Background technology
With the development of mobile Internet, realize that digital signature becomes active demand in mobile terminal.Due to mobile terminal
Operating system be revisable untrusted running environment, in order in effective protection mobile terminal for signature private key for user,
Many researchers propose the scheme that the collaboration based on distributed cipher key generates electronic signature.In this scenario, in communicating pair
Storage section private key respectively, two sides joint, which such as could sign to message or decrypt at operations, the communicating pair, can not get
Any information of other side's private key.But when implementing the technical solution of collaboration signature, it is necessary to take means realizing to client and
The effective protection of the private key component of server-side, to resist the attack means such as monitor channel, client wooden horse.
Invention content
Based on this, it is necessary to provide a kind of processing method based on collaboration key, based on the collaboration processing of key, computer
Equipment and computer storage media.
A kind of processing method based on collaboration key, the method includes the steps:
CUSTOMER ID is obtained, client temporary key is generated based on the CUSTOMER ID;
Generate client private key component;
The client private key component is encrypted using the client temporary key, it is close to obtain client private key component
Text.
A kind of processing method based on collaboration key, the method includes the steps:
CUSTOMER ID is obtained, client temporary key is generated based on the CUSTOMER ID;
Generate client private key component;
The client private key component is encrypted using the client temporary key, it is close to obtain client private key component
Text.
A kind of processing method based on collaboration key, the method includes the steps:
Client generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component
Ciphertext, and send message to server-side;
Server-side receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction, which carries, closes
Join information, the control instruction is described to indicate that the cipher machine generates server-side private key component according to the related information
Related information includes server-side platform identification.
A kind of processing method based on collaboration key, the method includes the steps:
Client obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component ciphertext is decrypted using the client temporary key, obtain client private key
Component, and send message to server-side;
Server-side receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction, which carries, closes
Join information, the control instruction is described to indicate that the cipher machine generates server-side private key component according to the related information
Related information includes server-side platform identification.
A kind of processing system based on collaboration key, the system comprises clients and server-side;
The client generates client private key component, obtains CUSTOMER ID, and visitor is generated based on the CUSTOMER ID
Family end temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key
Component ciphertext, and send message to server-side;
The server-side receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction is taken
Band related information, the control instruction to indicate the cipher machine according to the related information generate server-side private key component,
The related information includes server-side platform identification.
A kind of processing system based on collaboration key, the system comprises clients and server-side;
The client generates client private key component, obtains CUSTOMER ID, and visitor is generated based on the CUSTOMER ID
Family end temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key
Component ciphertext, and send message to server-side;
The server-side receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction is taken
Band related information, the control instruction to indicate the cipher machine according to the related information generate server-side private key component,
The related information includes server-side platform identification.
A kind of computer equipment, including memory and processor are stored with computer program, the place on the memory
The step of realizing the above method when device executes the computer program is managed, or realizes the client or clothes in method as described above
The processing step at business end.
A kind of computer readable storage medium, is stored thereon with computer program, which realizes when being executed by processor
The step of above method, or realize the processing step of the client or server-side in method as described above.
According to the scheme of embodiment as described above, the client of the temporary key that is derived from by CUSTOMER ID to generation
Private key component is encrypted, form to the effective protection of client private key component avoid storage key illegally obtained by third party
The possibility taken strengthens the safety of the private key component of distributed private key.
Description of the drawings
Fig. 1 is the flow diagram of the processing method based on collaboration key in one embodiment;
Fig. 2 is the flow diagram of the processing method based on collaboration key in another embodiment;
Fig. 3 is the flow diagram of the processing method based on collaboration key in another embodiment;
Fig. 4 is the flow diagram of the processing method based on collaboration key in another embodiment;
Fig. 5 is the module diagram of the processing system based on collaboration key in another embodiment;
Fig. 6 is the internal structure schematic diagram of the computer equipment in one embodiment.
Specific implementation mode
It is with reference to the accompanying drawings and embodiments, right in order to make the object, technical solution and advantage of the application be more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, and
It is not used in restriction the application.
The scheme of the embodiment of the present application is related to two equipment in the application of specific technology, is denoted as equipment one and set
Standby two, there is equipment one one private key component of equipment, equipment two to have two private key component of equipment, in collaboration signature and decryption, if
Standby one is based on two private key component of equipment based on one private key component of equipment, equipment two, and the process of signature and decryption is completed in the two collaboration.
In some embodiments, equipment one can be terminal, and equipment two can be server, to realize between terminal and server
The process of collaboration signature and decryption.Equipment one, equipment two can be specifically terminal console, mobile terminal and others can with or
Person can be that independent server is either multiple when equipment two is server to the equipment for cooperateing with signature or decryption
The server cluster of server composition.
As shown in Figure 1, the processing method based on collaboration key in one embodiment includes the following steps S101 to step
S103, this method can be applied to the subscriber terminal equipment of setting client, which is to combine to generate client private key component
Scene for illustrate.
Step S101:CUSTOMER ID is obtained, client temporary key is generated based on the CUSTOMER ID.
The CUSTOMER ID can be PIN (the personal identification of user in one embodiment
Number, personal identification number), which can be based on user and input acquisition.
When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One
Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment
To the client temporary key.
In one embodiment, can also include step before above-mentioned acquisition CUSTOMER ID input by user:It obtains
Device hardware parameter, device software parameter and equipment identities mark, and based on device hardware parameter, device software parameter and
Equipment identities mark generates device-fingerprint information.
At this point, the step of generating client temporary key based on CUSTOMER ID includes:Based on CUSTOMER ID and equipment
Finger print information generates client temporary key.Can be the CUSTOMER ID input by user with acquisition in one specific example
It is input parameter with device-fingerprint information, the client temporary key is obtained by executing key derivation algorithm.
Wherein, in one example, can also include step before above-mentioned acquisition equipment identities mark:Use random number
Generator generates equipment identities mark, and stores the equipment identities mark of generation, and equipment identities mark can be stored in non-
Volatile storage space, to facilitate subsequent applications to be read out in the process.
In one embodiment, further include step before obtaining CUSTOMER ID input by user:Salt figure is generated, and
Salt figure (the additional value added in cryptographic process) is stored, which can be stored in nonvolatile memory space, with
Subsequent applications are facilitated to be read out in the process.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:Based on CUSTOMER ID and
The salt figure read generates client temporary key.In one specific example, it can be identified with the user input by user of acquisition
Code and the salt figure are input parameter, and the client temporary key is obtained by executing key derivation algorithm.To by introducing salt
Value can be conducive to resist the attack of rainbow table, further strengthen safety.
In one embodiment, further include step before obtaining CUSTOMER ID input by user:Salt figure is generated, is deposited
Store up the salt figure;And obtain device hardware parameter, device software parameter and equipment identities mark, based on device hardware parameter,
The device software parameter and equipment identities mark generate device-fingerprint information.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:It is identified based on the user
Code, the salt figure and the device-fingerprint information generate the temporary key.Can be the use with acquisition in one specific example
CUSTOMER ID, device-fingerprint information and salt figure of family input are input parameter, are obtained by executing key derivation algorithm
The client temporary key.
In one embodiment, can also include step before obtaining CUSTOMER ID input by user:It generates random
Integer, and the random integers are stored, which can be stored in nonvolatile memory space, to facilitate subsequent applications mistake
It is read out in journey.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:Based on CUSTOMER ID, hold
The key derivation algorithm of row random integers time generates client temporary key.For example, using CUSTOMER ID as input parameter, execute
The key derivation algorithm of random integers time generates client temporary key.To, by introduce random integers, can be conducive to
Anti- rainbow table attack, further strengthens safety.
In one embodiment, can also include step before obtaining CUSTOMER ID input by user:Generate salt figure
And random integers, and store salt figure and random integers.
At this point, the step of generating client temporary key based on CUSTOMER ID includes:Based on CUSTOMER ID and salt figure,
The key derivation algorithm for executing random integers time generates client temporary key.
In one embodiment, random integers are being generated and be with CUSTOMER ID and device-fingerprint information are being input
Parameter generate client temporary key in the case of, be using CUSTOMER ID and device-fingerprint information as input parameter, execute with
The key derivation algorithm of machine integer time generates client temporary key.In one embodiment, generate at the same time salt figure and with
Machine integer can be to obtain in the case of generating the temporary key based on CUSTOMER ID, salt figure and device-fingerprint information
CUSTOMER ID input by user, device-fingerprint information and the salt figure be input parameter, execute the key of random integers time
It derives from algorithm and generates client temporary key.
In one embodiment, can also include step before above-mentioned acquisition CUSTOMER ID input by user:It obtains
Password authentication information input by user and identifying code;Password authentication information and identifying code are verified, and when being verified, display is used
Family identification code input interface.It is thus possible to using the double authentication of password authentication and identifying code, it is correct in verification,
Just allow to input CUSTOMER ID.In a specific example, the length and character types of password can also be defined, such as
The length of password has to be larger than the first predetermined length, and character types must include capitalization, lowercase and number etc., with
Implement high intensity verification.
It on the other hand, in one embodiment, can also be in continuous first pre-determined number password authentication information and identifying code
It is obstructed out-of-date to verify, and locks the verification password authentication information and identifying code mechanism, that is, limiting not allows user to continue to execute response
Flow, and unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and verification after unlock
Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, and
Second time period is more than first time period, and so on.
Step S102:Generate client private key component.
The generating mode of client private key component is carried out using any possible mode.In one embodiment, Ke Yishi
Random number is generated using randomizer, and using the random number as the client private key component.
Step S103:Client private key component is encrypted using client temporary key, it is close to obtain client private key component
Text.
When client private key component is encrypted using client temporary key, any possible encryption may be used
Mode carries out.Such as client temporary key can be as symmetric key, by client temporary key to client private key
Component executes symmetric cryptography, obtains client private key ciphertext.In one embodiment, the client private key ciphertext of acquisition can preserve
Nonvolatile memory space inside the spacing container of client.
In one embodiment, in digital signature procedure, after being digitally signed based on client private key component, also
The copy of the client private key component in memory can be destroyed.To avoid the client private key component in memory copy by other people
The possibility known, to further strengthen safety.
In one embodiment, can also include step before being digitally signed:Service for checking credentials end private key component with
Whether client private key component matches, to avoid unauthorized use server-side private key component.
As shown in Fig. 2, the processing method based on collaboration key in one embodiment includes the following steps S201 to step
S202, this method can be applied to the subscriber terminal equipment of setting client, which is that decryption is combined to obtain client private key
It is illustrated for the scene of component.
Step S201:CUSTOMER ID and client private key component ciphertext are obtained, visitor is generated based on the CUSTOMER ID
Family end temporary key.
Wherein, which can directly read from memory space.The CUSTOMER ID is in one embodiment
In can be user PIN (personal identification number, personal identification number), which can be with
It is inputted and is obtained based on user.
When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One
Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment
To the client temporary key.
In one embodiment, it is above-mentioned client temporary key is generated based on the CUSTOMER ID before, can be with
Including step:Device hardware parameter, device software parameter and equipment identities mark are read, and is based on device hardware parameter, sets
Standby software parameters and equipment identities mark generate device-fingerprint information.
At this point, the step of generating client temporary key based on CUSTOMER ID includes:Based on CUSTOMER ID and equipment
Finger print information generates client temporary key.Can be the CUSTOMER ID input by user with acquisition in one specific example
It is input parameter with device-fingerprint information, the client temporary key is obtained by executing key derivation algorithm.
In one embodiment, further include step before generating client temporary key based on the CUSTOMER ID:
Read the salt figure (the additional value added in cryptographic process) of storage.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:Based on CUSTOMER ID and
The salt figure read generates client temporary key.In one specific example, it can be identified with the user input by user of acquisition
Code and the salt figure are input parameter, and the client temporary key is obtained by executing key derivation algorithm.To by introducing salt
Value can be conducive to resist the attack of rainbow table, further strengthen safety.
In one embodiment, further include step before generating client temporary key based on the CUSTOMER ID:
Read the salt figure of storage;And device hardware parameter, device software parameter and equipment identities mark are read, joined based on device hardware
Number, device software parameter and equipment identities mark generate device-fingerprint information.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:It is identified based on the user
Code, the salt figure and the device-fingerprint information generate the temporary key.Can be the use with acquisition in one specific example
CUSTOMER ID, device-fingerprint information and salt figure of family input are input parameter, are obtained by executing key derivation algorithm
The client temporary key.
In one embodiment, before generating client temporary key based on the CUSTOMER ID, can also include
Step:Read the random integers of storage.
At this point, above-mentioned the step of generating client temporary key based on CUSTOMER ID, includes:Based on CUSTOMER ID, hold
The key derivation algorithm of row random integers time generates client temporary key.To by introducing random integers, be conducive to
The attack of rainbow table is resisted, safety is further strengthened.
In one embodiment, before generating client temporary key based on the CUSTOMER ID, can also include
Step:Read the salt figure and random integers of storage.
At this point, the step of generating client temporary key based on CUSTOMER ID includes:Based on CUSTOMER ID and salt figure,
The key derivation algorithm for executing random integers time generates client temporary key.
It is appreciated that in the case where generating client temporary key using CUSTOMER ID as input parameter, Ke Yishi
Using CUSTOMER ID as input parameter, the key derivation algorithm for executing random integers time generates client temporary key.At one
In embodiment, is having read random integers and be that client is generated as input parameter using CUSTOMER ID and device-fingerprint information
It is to execute the key of random integers time using CUSTOMER ID and device-fingerprint information as input parameter in the case of temporary key
It derives from algorithm and generates client temporary key.In one embodiment, salt figure and random integers are had read at the same time, are based on user
It, can be with the user input by user of acquisition in the case that identification code, salt figure and device-fingerprint information generate the temporary key
Identification code, device-fingerprint information and the salt figure are input parameter, and the key derivation algorithm for executing random integers time generates client
Hold temporary key.
In one embodiment, can also include step before above-mentioned acquisition CUSTOMER ID input by user:It obtains
Password authentication information input by user and identifying code;Password authentication information and identifying code are verified, and when being verified, display is used
Family identification code input interface.It is thus possible to using the double authentication of password authentication and identifying code, it is correct in verification,
Just allow to input CUSTOMER ID.In a specific example, the length and character types of password can also be defined, such as
The length of password has to be larger than the first predetermined length, and character types must include capitalization, lowercase and number etc., with
Implement high intensity verification.
It on the other hand, in one embodiment, can also be in continuous first pre-determined number password authentication information and identifying code
It is obstructed out-of-date to verify, and locks the verification password authentication information and identifying code mechanism, that is, limiting not allows user to continue to execute response
Flow, and unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and verification after unlock
Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, and
Second time period is more than first time period, and so on.
Step S202:The client private key component ciphertext is decrypted using the client temporary key, obtains client
Hold private key component.
When client private key component is decrypted using client temporary key, any possible decryption side can be used
Formula carries out, as long as can be corresponding with cipher mode.Such as the client temporary key is symmetric key, interim by client
Key pair client private key component executes symmetrical decryption, obtains client private key component.
In one embodiment, in digital signature procedure, after being digitally signed based on client private key component, also
The copy of the client private key component in memory can be destroyed.To avoid the client private key component in memory copy by other people
The possibility known, to further strengthen safety.
In one embodiment, can also include step before being digitally signed:Service for checking credentials end private key component with
Whether client private key component matches, to avoid unauthorized use server-side private key component.
The following is a detailed description of one of the examples.In this example, it is related to client private key component
Generation, the use of client private key component and the protection of client private key component.
The process for generating client private key component may include following step A1 to step A4.
Step A1:Generate related non-sensitive parameter.Non-sensitive parameter in one embodiment includes salt figure Salt, random whole
Number Rounds and equipment identities identify UUID.
Salt figure Salt:Client available random number generator generates salt figure Salt.
Random integers Rounds:Client available random number generator generates a random integers Rounds, this is random whole
Number Rounds can be used as the iterations of cipher key derivation function KDF.
Equipment identities identify UUID:Client available random number generator generates the equipment identities for identifying equipment identities
Identify UUID.
Salt figure Salt, the random integers Rounds and equipment identities of generation identify UUID, can be stored in user terminal
Non-volatile holographic storage inside the spacing container of client (such as mobile terminal APP (Application, third party application)) is empty
Between.
Step A2:Generate device-fingerprint information MobileID.
When specific implementation, client can slave mobile device client spacing container nonvolatile memory space in read
Take related hardware parameter SysInfo1, hardware parameter SysInfo1 may include CPU (Central Processing Unit,
Central processing unit) hardware parameters such as type, CPU number.
In addition, the related software parameters SysInfo2 of the terminal device at place, software parameters can be read in client
SysInfo2 may include the related software parameters such as OS Type.
In addition, client can slave mobile device client spacing container nonvolatile memory space in read equipment
Identity UUID.
It is appreciated that reading the mistake of hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID
Journey in no particular order sequentially as long as before following specific computing device fingerprint information M obileID, can read hardware
Parameter SysInfo1, software parameters SysInfo2 and equipment identities identify UUID.
It then, will after hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID being concatenated
Parameter after concatenation is as input, and executive summary algorithm calculates device-fingerprint information MobileID, the device-fingerprint information
MobileID can be the information of 256 bits, can be expressed as:
MobileID=Hash (SysInfo1 | | SysInfo2 | | UUID).
Wherein, digest algorithm Hash can be any possible digest algorithm, as MD5 (Message Digest Algorithm 5),
SHA256 (Secure Hash Algorithm, secure hash algorithm), SM3 (a kind of cryptographic Hash algorithm) etc..
Step A3:Generate temporary key TK.
Client shows CUSTOMER ID input interface, prompts user to input CUSTOMER ID (PIN code), and obtain user
The CUSTOMER ID of input.In addition, the nonvolatile memory space of the spacing container of the client of client also slave mobile device
Middle reading salt figure Salt and random integers Rounds.
Then, after CUSTOMER ID (PIN code), salt figure Salt, device-fingerprint information MobileID being concatenated, after concatenation
Information as input parameter, execute random integers Rounds secondary keys and derive from algorithm and obtain temporary key TK, formula can be with table
It is shown as:
TK=KDF (PIN | | Salt | | MobileID, Rounds).
Step A4:It generates client private key component and encrypts storage.
Client generates random number with randomizer, and using the random number as client private key component d1。
Then, client is with client private key component d1As input, executed using temporary key TK as symmetric key
Symmetric encipherment algorithm (such as AES, SM4), to client private key component d1It is encrypted, obtains client private key component ciphertext
SD1.Any encryption mode (such as ECB/CBC/OFB) may be used in specific cipher mode.
The client private key component ciphertext SD1 of acquisition, is stored in the isolation of the client (such as mobile terminal App) of user terminal
Nonvolatile memory space inside container.
During using client private key component, client private key component need to be recovered, to use client private key
Component.The process for recovering client private key component may include following step B1 to step B4.
Step B1:Extracting parameter.
In one specific example, the parameter of extraction may include:Salt figure Salt, random integers Rounds, equipment identities mark
Know UUID and client private key component ciphertext SD1.
Step B2:Extraction equipment fingerprint information M obileID.
When specific implementation, client can slave mobile device client spacing container nonvolatile memory space in read
Related hardware parameter SysInfo1 is taken, and reads the related software parameters SysInfo2 of the terminal device at place, slave mobile device
Client spacing container nonvolatile memory space in read equipment identities identify UUID.
It is appreciated that reading the mistake of hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID
Journey in no particular order sequentially as long as before following specific computing device fingerprint information M obileID, can read hardware
Parameter SysInfo1, software parameters SysInfo2 and equipment identities identify UUID.
It then, will after hardware parameter SysInfo1, software parameters SysInfo2 and equipment identities mark UUID being concatenated
For parameter after concatenation as input, executive summary algorithm calculates device-fingerprint information MobileID.
Step B3:Generate temporary key TK.
Client shows CUSTOMER ID input interface, prompts user to input CUSTOMER ID (PIN code), and obtain user
The CUSTOMER ID of input.In addition, the nonvolatile memory space of the spacing container of the client of client also slave mobile device
Middle reading salt figure Salt and random integers Rounds.
Then, after CUSTOMER ID (PIN code), salt figure Salt, device-fingerprint information MobileID being concatenated, after concatenation
Information as input parameter, execute random integers Rounds secondary keys and derive from algorithm and obtain temporary key TK, formula can be with table
It is shown as:
TK=KDF (PIN | | Salt | | MobileID, Rounds).
Step B4:Calculate client private key component.
Client is executed using client private key component ciphertext SD1 as input, using temporary key TK as symmetric key
Client private key component ciphertext SD1 is decrypted in the decipherment algorithm (such as AES, SM4) of symmetric cryptography, and it is private to obtain client
Key component d1It is encrypted.
Obtain client private key component d1Afterwards, the processes such as the relevant encryption of the execution, signature, decryption can be used.
Wherein, in order to form the effective protection to private key component, specific implementation when, may be used following corresponding strategies into
Row.
In one embodiment, password authentication can be used in client (such as App) of user's login user terminal
The dual factors of+identifying code are verified, which can be specifically short message verification code.Wherein, password authentication can be assisted using CHAP
The Password Authentication Protocol (such as SRP-6) that view or IEEE P1363 are defined.Under the conditions of verification password is correct, just show
PIN code input interface just allows to input PIN code to call client private key component.
One embodiment wherein can implement authentication policy to the intensity of user password and PIN code, such as require PIN code
Meet condition:One, length are more than the first predetermined length or length within the scope of predetermined length, if length is 8~12 words
Symbol;Secondly, need to include capitalization, lowercase and number simultaneously;Thirdly, pass through preset list and carry out weak passwurd inspection.
In one of the embodiments, after executing collaboration signature algorithm each time, client is destroyed in memory immediately
Client private key component d1Any copy.
Client recovers client private key component d in one of the embodiments,1Later, collaboration signature etc. is being executed
Before step, it need to further verify whether client private key component matches with server-side private key component.Only in matched condition
Under, client private key component d could be used1Signature operation is participated in, to utilize reliable and secure server-side private key component d2Come real
Now the enhancing of user identity is verified.Verifying the specific implementation of private key component pairing, the present embodiment does not limit, such as can be with
With reference to 15843 standards of GB/T.
In password authentication flow, and in the private key component pairing flow in collaboration signature stage, server-side can be real
Apply the abnormality processing measure of authentification failure.The identifying procedure of the first pre-determined number (such as 3 times) mistake is such as continuously performed, then server-side
It limits the user and continues to execute corresponding flow, just allow to continue after forcing it to wait for the first predetermined amount of time (such as 1 minute)
Operation.If continuous second pre-determined number occurs again after unlocking, and (second pre-determined number and the first pre-determined number can be with
Identical, can also be different, can also such as be set as 3 times) certification of mistake, then continue to lock, and the time locked can be added
Times, and so on.If client has successfully completed primary certification, the error lock delaying policy of respective account is released.
The processing method based on collaboration key in one embodiment is related to client and server-side, wherein in specific skill
When art is realized, client can refer to the application program of setting on the subscriber terminal, and server-side can refer to being arranged in server
Application program, as shown in figure 3, in one embodiment be related to client and the method for server-side includes the following steps S301 extremely
Step S302, the embodiment be combine client generate private key component scene for illustrate.
Step S301:Client generates client private key component, obtains CUSTOMER ID, is given birth to based on the CUSTOMER ID
The client private key component is encrypted at client temporary key, and using the client temporary key, obtains client
Private key component ciphertext, and send message to server-side.
Step S302:Server-side receives the message that client is sent, and sends control instruction to cipher machine, and control instruction is taken
Band related information, to indicate that cipher machine generates server-side private key component according to related information, related information includes control instruction
Server-side platform identification.In one embodiment, the control instruction can indicate the cipher machine according to the related information with
And the symmetric key of the cipher machine, generate server-side private key component.
Wherein, the processing procedure of the client in step S301 can be with the user terminal in above-mentioned embodiment illustrated in fig. 1
The processing procedure of equipment is identical.
Above-mentioned steps S302 can be executed in server, and in one embodiment, step S302 may include following step
S3021 to step S3022.
Step S3021:Receive the message that client is sent.
Wherein, the message that client is sent can be any possible message, as long as the message that client is sent can refer to
Show or trigger server-side and executes and the relevant operation of server-side private key component.In one embodiment, which sends
The message can be the message sent during indicating that server-side generates server-side private key, can also be to execute number
The message that word is signed or sent during decrypting.In different technology scenes, the information for including in the message can have
Institute is different.
In one embodiment, can only include that can indicate or trigger server-side to hold in the message that client is sent
Row and the relevant operation of server-side private key component.
In one embodiment, may include user identifier in the message that client is sent.To by the message
Include user identifier, server-side can subsequently be based on the user identifier and generate server-side private key point corresponding with the user identifier
Amount, so as to generate different server-side private key components for different users.
In one embodiment, may include key identification in the message that client is sent.To by the message
Include key identification, server-side can subsequently be based on the key identification and generate server-side private key point corresponding with the key identification
Amount, so as to generate different server-side private key components, the different server-side private keys of generation based on different key identifications
Component can use different purposes.
In one embodiment, can also include user identifier and key identification simultaneously in the message that client is sent.
To by the way that including user identifier and key identification, server-side can subsequently be based on the user identifier and key mark within the message
Know, generate corresponding from the user identifier different server-side private key component, the different server-side private key components of generation can be with
For the different purposes corresponding to the user identifier.
Step S3022:Control instruction is sent to cipher machine, the control instruction carries related information, the control instruction
To indicate that the cipher machine generates server-side private key component according to the related information, the related information is held level with both hands including service
Station identification.In one embodiment, which can indicate the cipher machine according to the related information and described close
The symmetric key of ink recorder generates server-side private key component.
Wherein it is possible to should to cipher machine transmission at the time of any need is related to generating or using server-side private key component
Control instruction, when such as receiving above-mentioned message, as long as the message can trigger server-side and send above-mentioned control instruction to cipher machine
.
As in one embodiment, which can be that client cooperates with the mistake for generating server-side private key component with server-side
Related news in journey.
In another embodiment, which can be the mistake that client cooperates with encryption, signature or decryption with server-side
Related news in journey.For being signed, which can be signature command, which is used to indicate password
Machine generates server-side private key component according to related information and the symmetric key of cipher machine, and based on server-side private key component into
Row digital signature.It is thus possible to during executing digital signature, instruction cipher machine generates server-side private key component.To,
Server-side completes the generating process of server-side private key component, the server where server-side during executing digital signature really
With cipher machine without storing the server-side private key component generated, need to assist with the user of multiple and different user terminals in server-side
In the case of signature, server-side and cipher machine are not necessarily to store the server-side private key component of magnanimity, further improve safety.
In one embodiment, when the message sent in above-mentioned client includes user identifier, which may be used also
To include the user identifier.At this point, be based on the control instruction, cipher machine be based on server-side platform identification, user identifier and
The symmetric key of cipher machine generates server-side private key component.To which server-side can be based on the user identifier and generate and the user
Corresponding server-side private key component is identified, so as to generate different server-side private key components for different users.
In one embodiment, when the message sent in above-mentioned client includes key identification, which also wraps
Include the key identification.At this point, being based on the control instruction, cipher machine is to be based on server-side platform identification, cipher mark and password
The symmetric key of machine generates server-side private key component.To which server-side can generate different clothes based on different key identifications
Business end private key component, the different server-side private key components of generation can use different purposes.
It in one embodiment, should in the message that client is sent while when including user identifier and key identification
Related information also includes the user identifier and key identification simultaneously.At this point, being based on the control instruction, cipher machine is to be based on server-side
The symmetric key of platform identification, user identifier, cipher mark and cipher machine generates server-side private key component.To server-side
It can be based on the user identifier and key identification, generate different server-side private key component corresponding from the user identifier, generated
Different server-side private key components, can be used for the different purposes corresponding to the user identifier.
The server-side private key component of above-mentioned generation can be limited to export from cipher machine with plaintext version, can also
It is limited to not allow to be stored in non-volatile holographic storage component, to further strengthen the protection to server-side private key component, into
One step reinforces safety.
Above-mentioned server-side platform identification can be determined based on any possible mode.In one embodiment, it is above-mentioned to
Can also include step before cipher machine sends control instruction:Generate server-side platform identification.Generating server-side platform identification can
By using it is any it is possible in a manner of carry out, such as in one embodiment, can by random number generator generate a random number,
And using the random number as the server-side platform identification, to reinforce the randomness of the server-side platform identification obtained, to reinforce
Randomness based on the server-side private key component that server-side platform identification generates, further strengthens.In another embodiment, may be used
With the relevant information based on server-side, which is generated using certain algorithm.
In one embodiment, can also include step after above-mentioned transmission control instruction:
It is sent to cipher machine and destroys instruction, destruction instruction is private to indicate the server-side in the cipher machine destruction memory
Key component copy.To after using server-side private key component each time, all destroy the server-side private key component in memory
Copy avoids the possibility that the server-side private key component copy in memory is obtained by third party, to further strengthen safety.
As shown in figure 4, the method for being related to client and server-side in one embodiment includes step S401 to step
S402, the embodiment are illustrated for decrypting to obtain the scene of private key component in conjunction with client.
Step S401:Client obtains CUSTOMER ID and client private key component ciphertext, is based on the CUSTOMER ID
Client temporary key is generated, and the client private key component ciphertext is decrypted using the client temporary key, is obtained
Client private key component, and send message to server-side.
Step S402:Server-side receives the message that client is sent, and meets server-side private key component in the message and make
When with condition, control instruction is sent to cipher machine, the control instruction carries related information, and the control instruction is to indicate
Cipher machine is stated according to the related information and the symmetric key of the cipher machine, generates server-side private key component, the association
Information includes server-side platform identification.
Wherein, the processing procedure of the client in step S401 can be with the user terminal in above-mentioned embodiment illustrated in fig. 2
The processing procedure of equipment is identical.The processing procedure of server-side in step S402 can be with the clothes in above-mentioned embodiment illustrated in fig. 3
The processing procedure at business end is identical.
The following is a detailed description of one of the examples.In this example, it is related to server-side private key component
Generation, the use of server-side private key component and the protection of server-side private key component.
In order to generate server-side private key component, server-side generates a server-side platform identification PlatformID, and close
The symmetric key X of a symmetric encipherment algorithm is generated and stored inside ink recorder.One with regard to the server-side private key in specific example point
The product process of amount can be discussed further below:
User identifier UserID and the key identification KeyID, user identifier UserID that client is sent are received to mark
Know different users, for key identification KeyID to distinguish different keys, a key identification corresponds to a client private key
Component and a server-side private key component.
Then, server-side calls encryption equipment interface, and server-side platform identification PlatformID, user are based on inside encryption equipment
Mark UserID, key identification KeyID and symmetric key X calculate the server-side private key component d that length is klen bits2,
It can be expressed as with formula:
Seed=Encrypt (PlatformID | | UserID | | KeyID, X);
d2=KDF (seed, klen).
Wherein, Encrypt is symmetric encipherment algorithm, and symmetric key X is used to be encrypted, and used algorithm can be
Any possible symmetric encipherment algorithm, such as DES (Data Encryption Algorithm, data encryption algorithm), AES
(Advanced Encryption Standard, Advanced Encryption Standard), SM4 (block cipher) etc..KDF is key derivation
Algorithm can be specifically the function that PKCS#5 standards define, or《GM/T 0003.4-2012 SM2 ellipse curve public key ciphers
The 4th part of algorithm:Public key encryption algorithm》Defined in key derivation algorithm etc..
During using server-side private key component, server-side private key component need to be recovered, to use server-side private key
Component.Process and the process of above-mentioned generation server-side private key component for recovering server-side private key component are completely the same.Specific
Technology application scenarios in, may not need special flow and generate server-side private key component, but needing it is private using server-side
When key component, then by cipher machine generation server-side private key component, to which server-side and cipher machine are not necessarily to store the key of magnanimity
Data.
By taking digital signature as an example, but during executing digital signature, server-side is in the use for obtaining client transmission
After family identifies UserID and key identification KeyID, server-side calls encryption equipment interface, and server-side platform mark is based on inside encryption equipment
It is klen bits to know PlatformID, user identifier UserID, key identification KeyID and symmetric key X to calculate length
Server-side private key component d2, and the server-side private key component d based on generation2Complete digital signature procedure.
Wherein, in order to form the effective protection to private key component, in specific implementation, it can limit and ensure calculated clothes
Be engaged in end private key component d2It cannot be exported outside cipher machine with plaintext version, and limit and ensure the server-side private key that cipher machine generates
Component d2Do not allow to be stored in non-volatile holographic storage component.On the other hand, it is performed in unison with digital signature in client and server-side
Stage, server-side calculates private key component d inside cipher machine by sending instructions to cipher machine according to X2, complete collaboration
The step of signature.On the other hand, can also be no matter to calculate public key or carry out collaboration signature, all use service in cipher machine
Hold private key component d2Later, server-side destroys the server-side private key component in cipher machine memory by being sent the commands to cipher machine
Copy.
Wherein, in order to form the effective protection to private key component, specific implementation when, may be used following corresponding strategies into
Row.
In one embodiment, password authentication can be used in client (such as App) of user's login user terminal
The dual factors of+identifying code are verified, which can be specifically short message verification code.Wherein, password authentication can be assisted using CHAP
The Password Authentication Protocol (such as SRP-6) that view or IEEE P1363 are defined.Under the conditions of verification password is correct, just show
PIN code input interface just allows to input PIN code to call client private key component.
One embodiment wherein can implement authentication policy to the intensity of user password and PIN code, such as require PIN code
Meet condition:One, length are more than the first predetermined length or length within the scope of predetermined length, if length is 8~12 words
Symbol;Secondly, need to include capitalization, lowercase and number simultaneously;Thirdly, pass through preset list and carry out weak passwurd inspection.
In one of the embodiments, after executing collaboration signature algorithm each time, client is destroyed in memory immediately
Client private key component d1Any copy.
Client recovers client private key component d in one of the embodiments,1Later, collaboration signature etc. is being executed
Before step, it need to further verify whether client private key component matches with server-side private key component.Only in matched condition
Under, client private key component d could be used1Signature operation is participated in, to utilize reliable and secure server-side private key component d2Come real
Now the enhancing of user identity is verified.Verifying the specific implementation of private key component pairing, the present embodiment does not limit, such as can be with
With reference to 15843 standards of GB/T.
In password authentication flow, and in the private key component pairing flow in collaboration signature stage, server-side can be real
Apply the abnormality processing measure of authentification failure.The identifying procedure of the first pre-determined number (such as 3 times) mistake is such as continuously performed, then server-side
It limits the user and continues to execute corresponding flow, just allow to continue after forcing it to wait for the first predetermined amount of time (such as 1 minute)
Operation.If continuous second pre-determined number occurs again after unlocking, and (second pre-determined number and the first pre-determined number can be with
Identical, can also be different, can also such as be set as 3 times) certification of mistake, then continue to lock, and the time locked can be added
Times, and so on.If client has successfully completed primary certification, the error lock delaying policy of respective account is released.
In summary content, the scheme of each embodiment of the application as described above, safety is improved by following manner
Energy.
Server-side private key component d is protected by using the cipher machine for meeting safe three-level2Even if having leaked client private
Key component d1, attacker can not also obtain complete private key d.
Client private key component d is generated using the random number generator for meeting the close random number inspection criterion of state1, utilize
The temporary key TK that PIN code derives from carrys out encipherment protection client private key component d1。
By the verification to PIN code intensity, be conducive to resist offline dictionary attack.And by introducing salt figure Salt, random
Integer Rounds is conducive to resist the attack of rainbow table.
During deriving from temporary key TK using PIN code, the KDF algorithms of random integers Rounds times are executed, it will
The considerable execution time is consumed, this implements offline enumerate or dictionary attack increases difficulty to attacker.In the present embodiment side
In case, the space of enumerating of PIN code includes at least 628Kind situation, it is assumed that calculate a KDF iteration and consume 100 milliseconds, then enumerate big
About need 2.2 × 1016Millisecond (~6900th century).
By increasing the verification step of client and the pairing of server-side private key component, the certification to client identity is increased
Intensity, while can be to avoid unauthorized use server-side private key component.
By password is responsible for/user password certification, client and server-side private key component match reciprocity online verification flow
The abnormal implement general plan control measure of mistake so that attacker can not implement online enumerate or dictionary is attacked within the acceptable time
It hits.Such as attempting 3n pairing required time isSecond, it is assumed that attacker guesses right at 90 times or so
PIN code, n=30, calculates and understands T ≈ 68 years at this time.
The dual factors verification of entry password+short message verification code is used in the client of user's login user terminal.And
The protection PIN of the entry password of user role and certificate and private key is kept completely separate, password is avoided and participates in generation/recovery client
The calculating process of private key component.
As shown in figure 5, the processing system based on collaboration key in one embodiment includes client 1 and server-side 2.
Wherein, by taking client generates the scene of private key component as an example, at this time:
Client 1 generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component
Ciphertext, and send message to server-side;
Server-side 2 receives the message that client 1 is sent, and sends control instruction to cipher machine, and control instruction carries association
Information, control instruction to indicate the cipher machine according to related information generate server-side private key component, the related information packet
Include server-side platform identification.In one embodiment, the control instruction can indicate the cipher machine according to related information and
The symmetric key of the cipher machine generates server-side private key component.
With reference to figure 5, in one embodiment, server-side 2 includes server-side communication module 21 and private key component processing control mould
Block 22.
Server-side communication module 21, the message for receiving client transmission.The message that client is sent can be any
Possible message, as long as the message that client is sent can indicate or trigger server-side and execute and the relevant behaviour of server-side private key component
Make.In one embodiment, the message that client is sent can be that the process of server-side private key is generated in instruction server-side
The message of middle transmission can also be the message sent during executing digital signature or decryption.In different technology fields
Jing Zhong, the information for including in the message can be different.
In one embodiment, can only include that can indicate or trigger server-side to hold in the message that client is sent
Row and the relevant operation of server-side private key component.
In one embodiment, may include user identifier in the message that client is sent.To by the message
Include user identifier, server-side can subsequently be based on the user identifier and generate server-side private key point corresponding with the user identifier
Amount, so as to generate different server-side private key components for different users.
In one embodiment, may include key identification in the message that client is sent.To by the message
Include key identification, server-side can subsequently be based on the key identification and generate server-side private key point corresponding with the key identification
Amount, so as to generate different server-side private key components, the different server-side private keys of generation based on different key identifications
Component can use different purposes.
In one embodiment, can also include user identifier and key identification simultaneously in the message that client is sent.
To by the way that including user identifier and key identification, server-side can subsequently be based on the user identifier and key mark within the message
Know, generate corresponding from the user identifier different server-side private key component, the different server-side private key components of generation can be with
For the different purposes corresponding to the user identifier.
Private key component processing and control module 22, for sending control instruction to cipher machine, the control instruction carries association
Information, the control instruction to indicate the cipher machine according to the related information generate server-side private key component, the pass
It includes server-side platform identification to join information.
Wherein it is possible to should to cipher machine transmission at the time of any need is related to generating or using server-side private key component
Control instruction, when such as receiving above-mentioned message, as long as the message can trigger server-side and send above-mentioned control instruction to cipher machine
.
As in one embodiment, which can be that client cooperates with the mistake for generating server-side private key component with server-side
Related news in journey.
In another embodiment, which can be the mistake that client cooperates with encryption, signature or decryption with server-side
Related news in journey.For being signed, which can be signature command, which is used to indicate password
Machine generates server-side private key component according to related information and the symmetric key of cipher machine, and based on server-side private key component into
Row digital signature.It is thus possible to during executing digital signature, instruction cipher machine generates server-side private key component.To,
Server-side completes the generating process of server-side private key component, the server where server-side during executing digital signature really
With cipher machine without storing the server-side private key component generated, need to assist with the user of multiple and different user terminals in server-side
In the case of signature, server-side and cipher machine are not necessarily to store the server-side private key component of magnanimity, further improve safety.
In one embodiment, when the message sent in above-mentioned client includes user identifier, which may be used also
To include the user identifier.At this point, be based on the control instruction, cipher machine be based on server-side platform identification, user identifier and
The symmetric key of cipher machine generates server-side private key component.To which server-side can be based on the user identifier and generate and the user
Corresponding server-side private key component is identified, so as to generate different server-side private key components for different users.
In one embodiment, when the message sent in above-mentioned client includes key identification, which also wraps
Include the key identification.At this point, being based on the control instruction, cipher machine is to be based on server-side platform identification, cipher mark and password
The symmetric key of machine generates server-side private key component.To which server-side can generate different clothes based on different key identifications
Business end private key component, the different server-side private key components of generation can use different purposes.
It in one embodiment, should in the message that client is sent while when including user identifier and key identification
Related information also includes the user identifier and key identification simultaneously.At this point, being based on the control instruction, cipher machine is to be based on server-side
The symmetric key of platform identification, user identifier, cipher mark and cipher machine generates server-side private key component.To server-side
It can be based on the user identifier and key identification, generate different server-side private key component corresponding from the user identifier, generated
Different server-side private key components, can be used for the different purposes corresponding to the user identifier.
With reference to figure 5, in one embodiment, server-side 2 further includes:Platform identification generation module 23, it is described for generating
Server-side platform identification.Generation server-side platform identification may be used any possible mode and carry out, such as in one embodiment,
A random number can be generated by random number generator, and using the random number as the server-side platform identification, to reinforce
The randomness of the server-side platform identification of acquisition, with reinforce the server-side private key component generated based on server-side platform identification with
Machine further strengthens safety.It in another embodiment, can be based on the relevant information of server-side, using certain calculation
Method generates the server-side platform identification.
With reference to figure 5, in one embodiment, server-side 2 further includes:Server-side private key copy destroy module 24, for
The cipher machine, which is sent, destroys instruction, described to destroy instruction to indicate that the cipher machine destroys the server-side private key point in memory
Measure copy.To after using server-side private key component each time, all destroy the pair of the server-side private key component in memory
This, avoids the possibility that the server-side private key component copy in memory is obtained by third party, to further strengthen safety.
With reference to figure 5, in one embodiment, server-side 2 further includes:Security permission control module 25, it is described for controlling
Server-side private key component cannot be exported with plaintext version from the cipher machine;And the server-side private key component is controlled, do not allow
It is stored in non-volatile holographic storage component.To further strengthen the protection to server-side private key component, safety is further strengthened
Property.
With reference to figure 5, in one embodiment, by taking the application scenarios of the generation client private key component as an example, client 1 is wrapped
It includes:Client private key component generation module 101, temporary key generation module 102, private key component encrypting module 103 and client
Communication module 104.
Client private key component generation module 101, for generating client private key component.
The generating mode of client private key component is carried out using any possible mode.In one embodiment, Ke Yishi
Random number is generated using randomizer, and using the random number as the client private key component.
Temporary key generation module 102 generates client based on the CUSTOMER ID and faces for obtaining CUSTOMER ID
When key.
The CUSTOMER ID can be PIN (the personal identification of user in one embodiment
Number, personal identification number), which can be based on user and input acquisition.
When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One
Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment
To the client temporary key.
Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes:Device-fingerprint information module 107, for obtaining
Device hardware parameter, device software parameter and equipment identities mark, are joined based on the device hardware parameter, the device software
The several and described equipment identities mark generates device-fingerprint information.
At this point, above-mentioned temporary key generation module 102 is based on the CUSTOMER ID and the device-fingerprint information generates
The temporary key.Can be CUSTOMER ID and the device-fingerprint information input by user with acquisition in one specific example
For input parameter, the client temporary key is obtained by executing key derivation algorithm.
In one embodiment, client 1 further includes:Equipment identities identifier generation module (not shown), with random
Number generator generates equipment identities mark, and stores the equipment identities mark of generation, and equipment identities mark can be stored in
Nonvolatile memory space, to facilitate subsequent applications to be read out in the process.
Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes:Salt figure module 108, for generate salt figure (
The additional value added in cryptographic process), and store the salt figure.The salt figure can be stored in non-volatile holographic storage sky
Between, to facilitate subsequent applications to be read out in the process.
At this point, above-mentioned temporary key generation module 102, can be based on described in the CUSTOMER ID and salt figure generation
Temporary key.
In one embodiment, refering to what is shown in Fig. 5, client 1 can include above equipment finger print information module 107 simultaneously
With salt figure module 108.At this point, above-mentioned temporary key generation module 102, with the CUSTOMER ID input by user of acquisition, equipment
Finger print information and the salt figure are input parameter, and the client temporary key is obtained by executing key derivation algorithm.To lead to
Introducing salt figure is crossed, can be conducive to resist the attack of rainbow table, further strengthen safety.
Refering to what is shown in Fig. 5, in one embodiment, client 1 can also include:Random integers module 109, for generating
Random integers, and store the random integers.The random integers can be stored in nonvolatile memory space, subsequently be answered with facilitating
With being read out in the process.
At this point, above-mentioned temporary key generation module 102, can be based on the CUSTOMER ID, execute the random integers
Secondary key derivation algorithm generates the temporary key.To by introducing random integers, resistance rainbow table is conducive to and attacked
It hits, further strengthens safety.
It is appreciated that in one embodiment, client 1 can include device-fingerprint information module 107 simultaneously and random whole
Digital-to-analogue block 109, at this point, above-mentioned temporary key generation module 102 is using CUSTOMER ID and device-fingerprint information as input parameter,
The key derivation algorithm for executing random integers time generates client temporary key.
In one embodiment, client 1 can also include salt figure module 108 and random integers module 109 simultaneously.This
When, temporary key generation module 102 can be based on the CUSTOMER ID and the salt figure, execute the random integers time
Key derivation algorithm generate the temporary key.
In one embodiment, client 1 can also include device-fingerprint information module 107,108 and of salt figure module simultaneously
Random integers module 109.At this point, temporary key generation module 102, can be based on CUSTOMER ID, device-fingerprint information and
The salt figure, the key derivation algorithm for executing random integers time generate temporary key.
Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes:Password authentication module 106, for obtaining user
The password authentication information and identifying code of input verify the password authentication information and the identifying code, and when being verified, and show
Show CUSTOMER ID input interface.It is thus possible to using the double authentication of password authentication and identifying code, correct situation is being verified
Under, just allow to input CUSTOMER ID.In a specific example, the length and character types of password can also be limited
Fixed, if the length of password has to be larger than the first predetermined length, character types must include capitalization, lowercase and number etc.
Deng to implement high intensity verification.
On the other hand, in one embodiment, password authentication module 106 can also recognize in continuous first pre-determined number password
It demonstrate,proves information and identifying code verification is obstructed out-of-date, lock the verification password authentication information and identifying code mechanism, that is, limiting not allows to use
Family continues to execute the flow of response, and is unlocked after waiting for first time period, and the continuous second pre-determined number password after unlock
Authentication information and identifying code verification are obstructed out-of-date, lock the verification password authentication information and identifying code mechanism, and waiting for second
It is unlocked after period, and second time period is more than first time period, and so on.
Private key component encryption/decryption module 103, for using the client temporary key to the client private key component
Encryption obtains client private key component ciphertext.
When client private key component is encrypted using client temporary key, any possible encryption may be used
Mode carries out.Such as client temporary key can be as symmetric key, by client temporary key to client private key
Component executes symmetric cryptography, obtains client private key ciphertext.In one embodiment, the client private key ciphertext of acquisition can preserve
Nonvolatile memory space inside the spacing container of client.
Accordingly, as shown in figure 5, the client can also include client private key ciphertext memory module 105, for storing
State client private key component ciphertext.
Client communication module 104, for sending message to the server-side.
Wherein, the message that client is sent can be any possible message, as long as the message that client is sent can refer to
Show or trigger server-side and executes and the relevant operation of server-side private key component.In one embodiment, which sends
The message can be the message sent during indicating that server-side generates server-side private key, can also be to execute number
The message that word is signed or sent during decrypting.In different technology scenes, the information for including in the message can have
Institute is different.
With reference to figure 5, in one embodiment, by taking the application scenarios of applications client private key component as an example, at this point, based on dividing
The processing system of cloth private key includes client 1 and server-side 2, wherein:
Client 1 obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID
Temporary key is held, and the client private key component ciphertext is decrypted using the client temporary key, it is private to obtain client
Key component, and send message to server-side;
Server-side 2 receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction, which carries, closes
Join information, the control instruction is indicating the cipher machine according to the symmetrical close of the related information and the cipher machine
Key generates server-side private key component, and the related information includes server-side platform identification.The structure of the server-side 2 can be with life
It is identical at the structure in client private key component scene.
At this point, client 1 includes:Client private key ciphertext memory module 105, temporary key generation module 102, private key point
Measure deciphering module 112 and above-mentioned client communication module 104.
Client private key ciphertext memory module 105, for storing client private key ciphertext.It can be specifically the above-mentioned private of storage
The client private key ciphertext that key component encrypting module 103 obtains.
Temporary key generation module 102 generates client based on the CUSTOMER ID and faces for obtaining CUSTOMER ID
When key.
The CUSTOMER ID can be PIN (the personal identification of user in one embodiment
Number, personal identification number), which can be based on user and input acquisition.
When generating client temporary key based on CUSTOMER ID, any possible mode may be used and carry out.One
Can be obtained using the CUSTOMER ID input by user of acquisition as input parameter by executing key derivation algorithm in embodiment
To the client temporary key.
With reference to figure 5, in one embodiment, when above-mentioned client 1 includes device-fingerprint information module 107, the equipment
Finger print information module 107 can read device hardware parameter, device software parameter and equipment identities mark, be based on device hardware
Parameter, device software parameter and equipment identities mark generate device-fingerprint information.
At this point, above-mentioned temporary key generation module 102 is based on the CUSTOMER ID and the device-fingerprint information generates
The temporary key.Can be CUSTOMER ID and the device-fingerprint information input by user with acquisition in one specific example
For input parameter, the client temporary key is obtained by executing key derivation algorithm.
Refering to what is shown in Fig. 5, in one embodiment, when client 1 includes salt figure module 108, the salt figure module 108 is also
Read the salt figure of storage.At this point, above-mentioned temporary key generation module 102, can be based on the CUSTOMER ID and the salt figure
Generate the temporary key.
In one embodiment, refering to what is shown in Fig. 5, including device-fingerprint information module 107 and salt figure simultaneously in client 1
When module 108, temporary key generation module 102 with the CUSTOMER ID input by user of reading, device-fingerprint information and is somebody's turn to do
Salt figure is input parameter, and the client temporary key is obtained by executing key derivation algorithm.Thus by introducing salt figure, it can
Be conducive to resist the attack of rainbow table, further strengthen safety.
Refering to what is shown in Fig. 5, in one embodiment, when client 1 includes random integers module 109, the random integers
Module 109 also reads the random integers of storage.At this point, above-mentioned temporary key generation module 102, can be based on CUSTOMER ID,
The key derivation algorithm for executing random integers time generates the temporary key.To by introducing random integers, be conducive to
The attack of rainbow table is resisted, safety is further strengthened.
It is appreciated that in one embodiment, in client 1 simultaneously including above equipment finger print information module 107 and with
When machine integer module 109, it is that input is joined that above-mentioned temporary key generation module 102, which is with CUSTOMER ID and device-fingerprint information,
Number, the key derivation algorithm for executing random integers time generate client temporary key.Include salt figure module simultaneously in client 1
108 and when random integers module 109, temporary key generation module 102 can be based on the CUSTOMER ID and the salt figure,
The key derivation algorithm for executing the random integers time generates the temporary key.Believe simultaneously including device-fingerprint in client 1
When ceasing module 107, salt figure module 108 and random integers module 109, temporary key generation module 102 can be based on user and identify
Code, the device-fingerprint information and salt figure, the key derivation algorithm for executing the random integers time generate the temporary key.
Refering to what is shown in Fig. 5, in one embodiment, client 1 further includes:Password authentication module 106, for obtaining user
The password authentication information and identifying code of input verify the password authentication information and the identifying code, and when being verified, and show
Show CUSTOMER ID input interface.
On the other hand, password authentication module 106 can also be in continuous first pre-determined number password authentication information and identifying code
It is obstructed out-of-date to verify, and locks the verification password authentication information and identifying code mechanism, that is, limiting not allows user to continue to execute response
Flow, and unlocked after waiting for first time period, and continuous second pre-determined number password authentication information and verification after unlock
Code verification is obstructed out-of-date, locks the verification password authentication information and identifying code mechanism, and unlocked after waiting for second time period, and
Second time period is more than first time period, and so on.
Private key component deciphering module 112, for reading the client private key ciphertext, and it is temporarily close using the client
Key decrypts the client private key component ciphertext, obtains client private key component.
When client private key component is decrypted using client temporary key, any possible encryption side can be used
Formula carries out, as long as it is all right to be mapped with cipher mode.Such as client temporary key can be led to as symmetric key
It crosses client temporary key and symmetrical decryption is executed to client private key component, obtain client private key component.
With reference to figure 5, in one embodiment, client 1 further includes:Client private key copy destroys module 110, in number
In word signature process, after being digitally signed based on the client private key component, the client private key point in memory is destroyed
The copy of amount.So as to the possibility for avoiding the copy of the client private key component in memory from being known by other people, with further
Reinforce safety.
With reference to figure 5, in one embodiment, client 1 further includes:Client private key component matches authentication module 111, is used for
Whether matched with client private key component with the server-side co-verification server-side private key component.It is unauthorized so as to avoid
Use server-side private key component.
Based on example as described above, a kind of computer equipment is also provided in one embodiment, the computer equipment packet
Memory and processor are included, computer program is stored on the memory, wherein processor is realized as above when executing described program
The method for stating any one embodiment in each embodiment.
Fig. 6 shows the internal structure chart of one embodiment Computer equipment.On the computer equipment can be specifically
State the equipment one and equipment two involved in environment.As shown in fig. 6, the computer equipment includes the processing connected by system bus
Device, memory, network interface.Can also include input unit in the case where the computer equipment is user terminal.Wherein,
Memory includes non-volatile memory medium and built-in storage.The non-volatile memory medium of the computer equipment is stored with operation
System can also be stored with computer program, when which is executed by processor, processor may make to realize based on collaboration
The processing method of key.Also computer program can be stored in the built-in storage, it, can when which is executed by processor
So that processor executes the processing method based on collaboration key.
It will be understood by those skilled in the art that structure shown in Fig. 6, is only tied with the relevant part of application scheme
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
May include either combining certain components than more or fewer components as shown in the figure or being arranged with different components.
One of ordinary skill in the art will appreciate that realizing all or part of flow in above-described embodiment method, can pass through
Computer program is completed to instruct relevant hardware, and described program, which can be stored in a non-volatile computer storage can be read, to be situated between
In matter, the program is when being executed, it may include such as the flow of the embodiment of above-mentioned each method.Wherein, each reality provided herein
Apply any reference to memory, storage, database or other media used in example, may each comprise it is non-volatile and/or
Volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM (PROM), electrically programmable ROM
(EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include random access memory (RAM)
Or external cache.By way of illustration and not limitation, RAM is available in many forms, such as static state RAM (SRAM),
It is dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhanced SDRAM (ESDRAM), same
Walk link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) directly RAM (RDRAM), direct memory bus
Dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Accordingly, a kind of computer storage media is also provided in one embodiment, is stored thereon with computer program, the meter
The method such as any one embodiment in the various embodiments described above is realized when calculation machine program is executed by processor.
Each technical characteristic of embodiment described above can be combined arbitrarily, to keep description succinct, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, it is all considered to be the range of this specification record.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that those skilled in the art,
Under the premise of not departing from the application design, several modifications and improvements can be also made, these belong to the protection domain of the application.
Therefore, the protection domain of the application patent should be determined by the appended claims.
Claims (26)
1. a kind of processing method based on collaboration key, which is characterized in that the method includes the steps:
CUSTOMER ID is obtained, client temporary key is generated based on the CUSTOMER ID;
Generate client private key component;
The client private key component is encrypted using the client temporary key, obtains client private key component ciphertext.
2. according to the method described in claim 1, it is characterised in that it includes it is following it is every in any one:
First item:
Further include step before obtaining CUSTOMER ID input by user:Obtain device hardware parameter, device software parameter with
And equipment identities mark, it is generated based on the device hardware parameter, the device software parameter and equipment identities mark
Device-fingerprint information;
It is described based on the CUSTOMER ID generate client temporary key the step of include:Based on the CUSTOMER ID and institute
It states device-fingerprint information and generates the temporary key;
Section 2:
Further include step before obtaining CUSTOMER ID input by user:Salt figure is generated, and stores the salt figure;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID and the salt
Value generates the temporary key;
Section 3:
Further include step before obtaining CUSTOMER ID input by user:Salt figure is generated, the salt figure is stored;And it obtains and sets
Standby hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, the device software parameter
And the equipment identities mark generates device-fingerprint information;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID, the salt
Value and the device-fingerprint information generate the temporary key;
Section 4:
Further include step before obtaining CUSTOMER ID input by user:Random integers are generated, and are stored described random whole
Number;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID, institute is executed
The key derivation algorithm for stating random integers time generates the temporary key;
Section 5:
Further include step before obtaining CUSTOMER ID input by user:Salt figure and random integers are generated, and store the salt
Value and the random integers;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID and the salt
Value, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 6:
Further include step before obtaining CUSTOMER ID input by user:Random integers are generated, and obtain device hardware ginseng
Number, device software parameter and equipment identities mark, based on the device hardware parameter, the device software parameter and described
Equipment identities mark generates device-fingerprint information;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID and described set
Standby finger print information, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 7:
Further include step before obtaining CUSTOMER ID input by user:Salt figure and random integers are generated, and store the salt
Value and the random integers;And device hardware parameter, device software parameter and equipment identities mark are obtained, it is based on the equipment
Hardware parameter, the device software parameter and equipment identities mark generate device-fingerprint information;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID, the salt
Value and the device-fingerprint information, the key derivation algorithm for executing the random integers time generate the temporary key.
At least one of 3. method according to claim 1 or 2, which is characterized in that in including following items:
First item:
Further include step before obtaining CUSTOMER ID input by user:
Obtain password authentication information input by user and identifying code;
The password authentication information and the identifying code are verified, and when being verified, shows CUSTOMER ID input interface;
Section 2:
In digital signature procedure, after being digitally signed based on the client private key component, the client in memory is destroyed
Hold the copy of private key component;
Section 3:
Before being digitally signed, whether matched with co-verification server-side private key component with client private key component.
4. a kind of processing method based on collaboration key, which is characterized in that the method includes the steps:
Obtain CUSTOMER ID and client private key component ciphertext;
Client temporary key is generated based on the CUSTOMER ID;
The client private key component ciphertext is decrypted with the client temporary key, obtains client private key component.
5. according to the method described in claim 4, it is characterised in that it includes it is following it is every in any one:
First item:
Further include step before generating client temporary key based on the CUSTOMER ID:It reads device hardware parameter, set
Standby software parameters and equipment identities identify, and are based on the device hardware parameter, the device software parameter and the equipment
Identity generates device-fingerprint information;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID and described set
Standby finger print information generates the temporary key;
Section 2:
Further include step before generating client temporary key based on the CUSTOMER ID:Read the salt figure of storage;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID and the salt
Value generates the temporary key;
Section 3:
Further include step before generating client temporary key based on the CUSTOMER ID:Read the salt figure of storage;And it reads
Taking equipment hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, the device software
Parameter and equipment identities mark generate device-fingerprint information;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID, the salt
Value and the device-fingerprint information generate the temporary key;
Section 4:
Further include step before generating client temporary key based on the CUSTOMER ID:Read the random integers of storage;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID, institute is executed
The key derivation algorithm for stating random integers time generates the temporary key;
Section 5:
Further include step before generating client temporary key based on the CUSTOMER ID:Read storage salt figure and with
Machine integer;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID and the salt
Value, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 6:
Further include step before generating client temporary key based on the CUSTOMER ID:The random integers of storage are read,
And device hardware parameter, device software parameter and equipment identities mark are read, based on the device hardware parameter, the equipment
Software parameters and equipment identities mark generate device-fingerprint information;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID and described set
Standby finger print information, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 7:
Further include step before generating client temporary key based on the CUSTOMER ID:Read storage salt figure and with
Machine integer;And obtain device hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter,
The device software parameter and equipment identities mark generate device-fingerprint information;
Include based on the step of CUSTOMER ID generation client temporary key:Based on the CUSTOMER ID, the salt
Value and the device-fingerprint information, the key derivation algorithm for executing the random integers time generate the temporary key.
At least one of 6. method according to claim 4 or 5, which is characterized in that in including following items:
First item:
Further include step before obtaining CUSTOMER ID input by user:
Obtain password authentication information input by user and identifying code;
The password authentication information and the identifying code are verified, and when being verified, shows CUSTOMER ID input interface;
Section 2:
In digital signature procedure, after being digitally signed based on the client private key component, the client in memory is destroyed
Hold the copy of private key component;
Section 3:
Before being digitally signed, with the server-side co-verification server-side private key component and client private key component whether
Matching.
7. a kind of processing method based on collaboration key, which is characterized in that the method includes the steps:
Client generates client private key component, obtains CUSTOMER ID, and it is interim to generate client based on the CUSTOMER ID
Key, and the client private key component is encrypted using the client temporary key, client private key component ciphertext is obtained,
And send message to server-side;
Server-side receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction carries association letter
Breath, the control instruction to indicate the cipher machine according to the related information generate server-side private key component, the association
Information includes server-side platform identification.
8. the method according to the description of claim 7 is characterized in that any one in including following items:
First item:
The client further includes step before obtaining CUSTOMER ID input by user:Obtain device hardware parameter, equipment
Software parameters and equipment identities mark, are based on the device hardware parameter, the device software parameter and the equipment body
Part mark generates device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the device-fingerprint information generate the temporary key;
Section 2:
The client further includes step before obtaining CUSTOMER ID input by user:Salt figure is generated, and stores the salt
Value;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the salt figure generate the temporary key;
Section 3:
The client further includes step before obtaining CUSTOMER ID input by user:Salt figure is generated, the salt is stored
Value;And device hardware parameter, device software parameter and equipment identities mark are obtained, based on the device hardware parameter, described
Device software parameter and equipment identities mark generate device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the salt figure and the device-fingerprint information generate the temporary key;
Section 4:
The client further includes step before obtaining CUSTOMER ID input by user:Random integers are generated, and store institute
State random integers;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 5:
The client further includes step before obtaining CUSTOMER ID input by user:Salt figure and random integers are generated, and
Store the salt figure and the random integers;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the salt figure, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 6:
The client further includes step before obtaining CUSTOMER ID input by user:Random integers are generated, and obtains and sets
Standby hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, the device software parameter
And the equipment identities mark generates device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the device-fingerprint information, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 7:
The client further includes step before obtaining CUSTOMER ID input by user:Salt figure and random integers are generated, and
Store the salt figure and the random integers;And obtain device hardware parameter, device software parameter and equipment identities mark, base
It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the salt figure and the device-fingerprint information, the key derivation algorithm generation for executing the random integers time are described interim close
Key.
At least one of 9. method according to claim 7 or 8, which is characterized in that in including following items:
The client further includes step before obtaining CUSTOMER ID input by user:Password input by user is obtained to recognize
Demonstrate,prove information and identifying code;The password authentication information and the identifying code are verified, and when being verified, shows CUSTOMER ID
Input interface;
In digital signature procedure, the client based on the client private key component after being digitally signed, in destruction
The copy of client private key component in depositing;
Before being digitally signed, the client is private with client with the server-side co-verification server-side private key component
Whether key component matches;
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, and the signature command is used to indicate the cipher machine and is generated according to the related information
Server-side private key component, and be digitally signed based on the server-side private key component;
The server-side is sent to the cipher machine destroys instruction, and the destruction instructs to indicate that the cipher machine destroys memory
In server-side private key component copy;
The server-side further includes step before sending control instruction to cipher machine:Generate the server-side platform identification;
The server-side private key component cannot be exported with plaintext version from the cipher machine;
The server-side private key component does not allow to be stored in non-volatile holographic storage component.
10. a kind of processing method based on collaboration key, which is characterized in that the method includes the steps:
Client obtains CUSTOMER ID and client private key component ciphertext, and it is interim to generate client based on the CUSTOMER ID
Key, and the client private key component ciphertext is decrypted using the client temporary key, client private key component is obtained,
And send message to server-side;
Server-side receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction carries association letter
Breath, the control instruction to indicate the cipher machine according to the related information generate server-side private key component, the association
Information includes server-side platform identification.
11. processing method according to claim 10, which is characterized in that any one in including following items:
First item:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read equipment
Hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter, the device software parameter with
And the equipment identities mark generates device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the device-fingerprint information generate the temporary key;
Section 2:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Salt figure;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the salt figure generate the temporary key;
Section 3:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Salt figure;And read device hardware parameter, device software parameter and equipment identities mark, based on the device hardware parameter,
The device software parameter and equipment identities mark generate device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the salt figure and the device-fingerprint information generate the temporary key;
Section 4:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Random integers;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 5:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Salt figure and random integers;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the salt figure, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 6:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Random integers, and read device hardware parameter, device software parameter and equipment identities mark, based on the device hardware join
Several, the described device software parameter and equipment identities mark generate device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code and the device-fingerprint information, the key derivation algorithm for executing the random integers time generate the temporary key;
Section 7:
The client further includes step before generating client temporary key based on the CUSTOMER ID:Read storage
Salt figure and random integers;And device hardware parameter, device software parameter and equipment identities mark are obtained, it is based on the equipment
Hardware parameter, the device software parameter and equipment identities mark generate device-fingerprint information;
The client be based on the CUSTOMER ID generate client temporary key the step of include:It is identified based on the user
Code, the salt figure and the device-fingerprint information, the key derivation algorithm generation for executing the random integers time are described interim close
Key.
At least one of 12. the method according to claim 10 or 11, which is characterized in that in including following items:
The client further includes step before obtaining CUSTOMER ID input by user:Password input by user is obtained to recognize
Demonstrate,prove information and identifying code;The password authentication information and the identifying code are verified, and when being verified, shows CUSTOMER ID
Input interface;
In digital signature procedure, the client based on the client private key component after being digitally signed, in destruction
The copy of client private key component in depositing;
Before being digitally signed, the client is private with client with the server-side co-verification server-side private key component
Whether key component matches;
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, the signature command be used to indicate the cipher machine according to the related information and
The symmetric key of the cipher machine is generated server-side private key component, and is digitally signed based on the server-side private key component;
The server-side is sent to the cipher machine destroys instruction, and the destruction instructs to indicate that the cipher machine destroys memory
In server-side private key component copy;
Further include step before the server-side sends control instruction to cipher machine:The server-side generates the server-side
Platform identification;
The server-side private key component cannot be exported with plaintext version from the cipher machine;
The server-side private key component does not allow to be stored in non-volatile holographic storage component.
13. a kind of processing system based on collaboration key, which is characterized in that the system comprises clients and server-side;
The client generates client private key component, obtains CUSTOMER ID, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component is encrypted using the client temporary key, obtain client private key component
Ciphertext, and send message to server-side;
The server-side receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction, which carries, closes
Join information, the control instruction is described to indicate that the cipher machine generates server-side private key component according to the related information
Related information includes server-side platform identification.
14. wanting the system described in 13 according to right, which is characterized in that the client includes:
Client private key component generation module, for generating client private key component;
Temporary key generation module generates client temporary key for obtaining CUSTOMER ID based on the CUSTOMER ID;
Private key component encrypting module is obtained for being encrypted to the client private key component using the client temporary key
Client private key component ciphertext;
Client communication module, for sending message to the server-side.
15. system according to claim 14, which is characterized in that any one in including following items:
First item:
The client further includes:Device-fingerprint information module, for obtaining device hardware parameter, device software parameter and setting
Standby identity generates equipment based on the device hardware parameter, the device software parameter and equipment identities mark
Finger print information;
The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information generates the temporary key;
Section 2:
The client further includes:Salt figure module for generating salt figure, and stores the salt figure;
The temporary key generation module is based on the CUSTOMER ID and the salt figure generates the temporary key;
Section 3:
The client further includes device-fingerprint information module and salt figure module;
The device-fingerprint information module, for obtaining device hardware parameter, device software parameter and equipment identities mark, base
It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information;
The salt figure module for generating salt figure, and stores the salt figure;
The temporary key generation module is based on described in the CUSTOMER ID, the salt figure and device-fingerprint information generation
Temporary key;
Section 4:
The client further includes:Random integers module for generating random integers, and stores the random integers;
The temporary key generation module is based on the CUSTOMER ID, executes the key derivation algorithm life of the random integers time
At the temporary key;
Section 5:
The client further includes:Random integers module and device-fingerprint information module;
Random integers module for generating random integers, and stores the random integers;
Device-fingerprint information module is based on institute for obtaining device hardware parameter, device software parameter and equipment identities mark
It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information;
The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information, executes the random integers
Secondary key derivation algorithm generates the temporary key;
Section 6:
The client further includes:Random integers module and salt figure module;
Random integers module for generating random integers, and stores the random integers;
Salt figure module for generating salt figure, and stores the salt figure;
The temporary key generation module is based on the CUSTOMER ID and the salt figure, executes the key of the random integers time
It derives from algorithm and generates the temporary key;
Section 7:
The client further includes:Random integers module, device-fingerprint information module and salt figure module;
Random integers module for generating random integers, and stores the random integers;
Device-fingerprint information module is based on institute for obtaining device hardware parameter, device software parameter and equipment identities mark
It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information;
Salt figure module for generating salt figure, and stores the salt figure;
The temporary key generation module is based on the CUSTOMER ID, the salt figure and the device-fingerprint information, executes institute
The key derivation algorithm for stating random integers time generates the temporary key.
16. according to the system described in claim 13 to 15 any one, which is characterized in that at least one in including following items
:
First item:
The client further includes:Password authentication module is verified for obtaining password authentication information input by user and identifying code
The password authentication information and the identifying code, and when being verified, show CUSTOMER ID input interface;
Section 2:
The client further includes:Client private key copy destroys module, is used in digital signature procedure, based on the visitor
After family end private key component is digitally signed, the copy of the client private key component in memory is destroyed;
Section 3:
The client further includes:Client private key component matches authentication module, is used for and the server-side co-verification service
Whether end private key component matches with client private key component.
17. according to the system described in claim 13 to 15 any one, which is characterized in that the server-side includes:
Server-side communication module, the message for receiving client transmission;
Private key component processing and control module, for sending control instruction to cipher machine, the control instruction carries related information, institute
Control instruction is stated to indicate that the cipher machine generates server-side private key component, the related information packet according to the related information
Include server-side platform identification.
At least one of 18. system according to claim 17, which is characterized in that in including following items:
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, and the signature command is used to indicate the cipher machine and is generated according to the related information
Server-side private key component, and be digitally signed based on the server-side private key component;
The server-side further includes:Server-side private key copy destroys module, and instruction is destroyed for being sent to the cipher machine, described
Instruction is destroyed to indicate that the cipher machine destroys the server-side private key component copy in memory;
The server-side further includes:Platform identification generation module, for generating the server-side platform identification;
The server-side further includes:Security permission control module, cannot be with plaintext shape for controlling the server-side private key component
Formula is exported from the cipher machine;And the server-side private key component is controlled, do not allow to be stored in non-volatile holographic storage component.
19. a kind of processing system based on collaboration key, which is characterized in that the system comprises clients and server-side;
The client obtains CUSTOMER ID and client private key component ciphertext, and client is generated based on the CUSTOMER ID
Temporary key, and the client private key component ciphertext is decrypted using the client temporary key, obtain client private key
Component, and send message to server-side;
The server-side receives the message that client is sent, and sends control instruction to cipher machine, and the control instruction, which carries, closes
Join information, the control instruction is described to indicate that the cipher machine generates server-side private key component according to the related information
Related information includes server-side platform identification.
20. system according to claim 19, which is characterized in that the client includes:
Client private key ciphertext memory module, for storing client private key ciphertext;
Temporary key generation module generates client temporary key for obtaining CUSTOMER ID based on the CUSTOMER ID;
Private key component deciphering module, for reading the client private key ciphertext, and using the client temporary key to institute
The decryption of client private key component ciphertext is stated, client private key component is obtained;
Client communication module, for sending message to the server-side.
21. system according to claim 20, which is characterized in that any one in including following items:
First item:
The client further includes:Device-fingerprint information module, for reading device hardware parameter, device software parameter and setting
Standby identity generates equipment based on the device hardware parameter, the device software parameter and equipment identities mark
Finger print information;
The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information generates the temporary key;
Section 2:
The client further includes:Salt figure module, the salt figure for reading storage;
The temporary key generation module is based on the CUSTOMER ID and the salt figure generates the temporary key;
Section 3:
The client further includes device-fingerprint information module and salt figure module;
The device-fingerprint information module, for reading device hardware parameter, device software parameter and equipment identities mark, base
It is identified in the device hardware parameter, the device software parameter and the equipment identities and generates device-fingerprint information;
The salt figure module, the salt figure for reading storage;
The temporary key generation module is based on described in the CUSTOMER ID, the salt figure and device-fingerprint information generation
Temporary key;
Section 4:
The client further includes:Random integers module, the random integers for reading storage;
The temporary key generation module is based on the CUSTOMER ID, executes the key derivation algorithm life of the random integers time
At the temporary key;
Section 5:
The client further includes:Random integers module and device-fingerprint information module;
Random integers module, the random integers for reading storage;
Device-fingerprint information module is based on institute for reading device hardware parameter, device software parameter and equipment identities mark
It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information;
The temporary key generation module is based on the CUSTOMER ID and the device-fingerprint information, executes the random integers
Secondary key derivation algorithm generates the temporary key;
Section 6:
The client further includes:Random integers module and salt figure module;
Random integers module, the random integers for reading storage;
Salt figure module, the salt figure for reading storage;
The temporary key generation module is based on the CUSTOMER ID and the salt figure, executes the key of the random integers time
It derives from algorithm and generates the temporary key;
Section 7:
The client further includes:Random integers module, device-fingerprint information module and salt figure module;
Random integers module, the random integers for reading storage;
Device-fingerprint information module is based on institute for reading device hardware parameter, device software parameter and equipment identities mark
It states device hardware parameter, the device software parameter and equipment identities mark and generates device-fingerprint information;
Salt figure module, the salt figure for reading storage;
The temporary key generation module is based on the CUSTOMER ID, the salt figure and the device-fingerprint information, executes institute
The key derivation algorithm for stating random integers time generates the temporary key.
22. according to the system described in claim 19 to 21 any one, which is characterized in that at least one in including following items
:
First item:The client further includes:Password authentication module, for obtaining password authentication information input by user and verification
Code, verifies the password authentication information and the identifying code, and when being verified, and shows CUSTOMER ID input interface;
Section 2:
The client further includes:Client private key copy destroys module, is used in digital signature procedure, based on the visitor
After family end private key component is digitally signed, the copy of the client private key component in memory is destroyed;
Section 3:
The client further includes:Client private key component matches authentication module, is used for and the server-side co-verification service
Whether end private key component matches with client private key component.
23. according to the system described in claim 19 to 21 any one, which is characterized in that the server-side includes:
Server-side communication module, the message for receiving client transmission;
Private key component processing and control module, for sending control instruction to cipher machine, the control instruction carries related information, institute
Control instruction is stated to indicate that the cipher machine according to the related information and the symmetric key of the cipher machine, generates service
Private key component is held, the related information includes server-side platform identification.
At least one of 24. system according to claim 23, which is characterized in that in including following items:
The message includes user identifier and/or key identification;The related information further includes the user identifier and/or described
Key identification;
The control instruction is signature command, the signature command be used to indicate the cipher machine according to the related information and
The symmetric key of the cipher machine is generated server-side private key component, and is digitally signed based on the server-side private key component;
The server-side further includes:Server-side private key copy destroys module, and instruction is destroyed for being sent to the cipher machine, described
Instruction is destroyed to indicate that the cipher machine destroys the server-side private key component copy in memory;
The server-side further includes:Platform identification generation module, for generating the server-side platform identification;
The server-side further includes:Security permission control module, cannot be with plaintext shape for controlling the server-side private key component
Formula is exported from the cipher machine;And the server-side private key component is controlled, do not allow to be stored in non-volatile holographic storage component.
25. a kind of computer equipment, including memory and processor, computer program, feature are stored on the memory
It is, when the processor executes the computer program the step of realization claim 1 to 6 any one of them method, or
Person realizes the processing step of client or server-side in the method for any one of claim 7 to 12.
26. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The step of claim 1 to 6 any one of them method is realized when execution, or realize the institute of any one of claim 7 to 12
State the processing step of the client or server-side in method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810220849.8A CN108494551A (en) | 2018-03-16 | 2018-03-16 | Processing method, system, computer equipment and storage medium based on collaboration key |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810220849.8A CN108494551A (en) | 2018-03-16 | 2018-03-16 | Processing method, system, computer equipment and storage medium based on collaboration key |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108494551A true CN108494551A (en) | 2018-09-04 |
Family
ID=63339844
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810220849.8A Pending CN108494551A (en) | 2018-03-16 | 2018-03-16 | Processing method, system, computer equipment and storage medium based on collaboration key |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108494551A (en) |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109274503A (en) * | 2018-11-05 | 2019-01-25 | 北京仁信证科技有限公司 | Distributed collaboration endorsement method and distributed collaboration signature apparatus, soft shield system |
CN110098928A (en) * | 2019-05-08 | 2019-08-06 | 国家电网有限公司 | A kind of key generation method and device of collaboration signature |
CN110572366A (en) * | 2019-08-09 | 2019-12-13 | 五八有限公司 | Network data transmission method and device, electronic equipment and storage medium |
CN111130803A (en) * | 2019-12-26 | 2020-05-08 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
CN111600717A (en) * | 2020-05-12 | 2020-08-28 | 北京海益同展信息科技有限公司 | SM 2-based decryption method and system, electronic device and storage medium |
CN111865579A (en) * | 2020-07-10 | 2020-10-30 | 郑州信大捷安信息技术股份有限公司 | SM2 algorithm transformation-based data encryption and decryption method and device |
WO2020258125A1 (en) * | 2019-06-27 | 2020-12-30 | 云图有限公司 | Private key recovery method and apparatus, collaborative address creation method and apparatus, collaborative address signing method and apparatus, and storage medium |
WO2021057073A1 (en) * | 2019-09-24 | 2021-04-01 | 支付宝(杭州)信息技术有限公司 | Private key generation and use method, apparatus and device in asymmetric key |
CN112653554A (en) * | 2020-12-30 | 2021-04-13 | 成都卫士通信息产业股份有限公司 | Signature method, system, equipment and readable storage medium |
CN112966286A (en) * | 2021-03-30 | 2021-06-15 | 建信金融科技有限责任公司 | Method, system, device and computer readable medium for user login |
CN113051585A (en) * | 2021-03-10 | 2021-06-29 | 宁波小遛共享信息科技有限公司 | Data verification method and device, electronic equipment and storage medium |
CN113300842A (en) * | 2021-05-26 | 2021-08-24 | 清创网御(北京)科技有限公司 | Method for improving security of symmetric encryption algorithm |
CN114785495A (en) * | 2022-04-01 | 2022-07-22 | 安天科技集团股份有限公司 | Key derivation method, data encryption method, server, electronic device, and storage medium |
CN115102750A (en) * | 2022-06-16 | 2022-09-23 | 平安银行股份有限公司 | Private data processing method, system, computer terminal and readable storage medium |
CN115268793A (en) * | 2022-08-03 | 2022-11-01 | 中国电子科技集团公司信息科学研究院 | Data safety deleting method based on data encryption and overwriting |
CN116032655A (en) * | 2023-02-13 | 2023-04-28 | 杭州天谷信息科技有限公司 | Identity authentication method and system capable of resisting timing attack |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102377564A (en) * | 2011-11-15 | 2012-03-14 | 华为技术有限公司 | Method and device for encrypting private key |
CN104660397A (en) * | 2013-11-18 | 2015-05-27 | 卓望数码技术(深圳)有限公司 | Secret key managing method and system |
US20160132682A1 (en) * | 2008-04-28 | 2016-05-12 | Novell, Inc. | Techniques for secure data management in a distributed environment |
CN106452764A (en) * | 2016-12-02 | 2017-02-22 | 武汉理工大学 | Method for automatically updating identification private key and password system |
CN107302438A (en) * | 2017-08-07 | 2017-10-27 | 收付宝科技有限公司 | A kind of private key protection method based on key updating, system and device |
-
2018
- 2018-03-16 CN CN201810220849.8A patent/CN108494551A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160132682A1 (en) * | 2008-04-28 | 2016-05-12 | Novell, Inc. | Techniques for secure data management in a distributed environment |
CN102377564A (en) * | 2011-11-15 | 2012-03-14 | 华为技术有限公司 | Method and device for encrypting private key |
CN104660397A (en) * | 2013-11-18 | 2015-05-27 | 卓望数码技术(深圳)有限公司 | Secret key managing method and system |
CN106452764A (en) * | 2016-12-02 | 2017-02-22 | 武汉理工大学 | Method for automatically updating identification private key and password system |
CN107302438A (en) * | 2017-08-07 | 2017-10-27 | 收付宝科技有限公司 | A kind of private key protection method based on key updating, system and device |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109274503A (en) * | 2018-11-05 | 2019-01-25 | 北京仁信证科技有限公司 | Distributed collaboration endorsement method and distributed collaboration signature apparatus, soft shield system |
CN110098928A (en) * | 2019-05-08 | 2019-08-06 | 国家电网有限公司 | A kind of key generation method and device of collaboration signature |
CN110098928B (en) * | 2019-05-08 | 2022-02-25 | 国家电网有限公司 | Key generation method and device for collaborative signature |
WO2020258125A1 (en) * | 2019-06-27 | 2020-12-30 | 云图有限公司 | Private key recovery method and apparatus, collaborative address creation method and apparatus, collaborative address signing method and apparatus, and storage medium |
CN110572366A (en) * | 2019-08-09 | 2019-12-13 | 五八有限公司 | Network data transmission method and device, electronic equipment and storage medium |
CN110572366B (en) * | 2019-08-09 | 2021-08-20 | 五八有限公司 | Network data transmission method and device, electronic equipment and storage medium |
WO2021057073A1 (en) * | 2019-09-24 | 2021-04-01 | 支付宝(杭州)信息技术有限公司 | Private key generation and use method, apparatus and device in asymmetric key |
CN111130803A (en) * | 2019-12-26 | 2020-05-08 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
CN111130803B (en) * | 2019-12-26 | 2023-02-17 | 信安神州科技(广州)有限公司 | Method, system and device for digital signature |
CN111600717B (en) * | 2020-05-12 | 2024-01-12 | 京东科技信息技术有限公司 | SM 2-based decryption method, system, electronic equipment and storage medium |
CN111600717A (en) * | 2020-05-12 | 2020-08-28 | 北京海益同展信息科技有限公司 | SM 2-based decryption method and system, electronic device and storage medium |
CN111865579A (en) * | 2020-07-10 | 2020-10-30 | 郑州信大捷安信息技术股份有限公司 | SM2 algorithm transformation-based data encryption and decryption method and device |
CN112653554A (en) * | 2020-12-30 | 2021-04-13 | 成都卫士通信息产业股份有限公司 | Signature method, system, equipment and readable storage medium |
CN112653554B (en) * | 2020-12-30 | 2023-03-31 | 成都卫士通信息产业股份有限公司 | Signature method, system, equipment and readable storage medium |
CN113051585A (en) * | 2021-03-10 | 2021-06-29 | 宁波小遛共享信息科技有限公司 | Data verification method and device, electronic equipment and storage medium |
CN112966286A (en) * | 2021-03-30 | 2021-06-15 | 建信金融科技有限责任公司 | Method, system, device and computer readable medium for user login |
CN113300842A (en) * | 2021-05-26 | 2021-08-24 | 清创网御(北京)科技有限公司 | Method for improving security of symmetric encryption algorithm |
CN114785495A (en) * | 2022-04-01 | 2022-07-22 | 安天科技集团股份有限公司 | Key derivation method, data encryption method, server, electronic device, and storage medium |
CN115102750A (en) * | 2022-06-16 | 2022-09-23 | 平安银行股份有限公司 | Private data processing method, system, computer terminal and readable storage medium |
CN115102750B (en) * | 2022-06-16 | 2024-02-02 | 平安银行股份有限公司 | Private data processing method, system, computer terminal and readable storage medium |
CN115268793A (en) * | 2022-08-03 | 2022-11-01 | 中国电子科技集团公司信息科学研究院 | Data safety deleting method based on data encryption and overwriting |
CN116032655A (en) * | 2023-02-13 | 2023-04-28 | 杭州天谷信息科技有限公司 | Identity authentication method and system capable of resisting timing attack |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108494551A (en) | Processing method, system, computer equipment and storage medium based on collaboration key | |
CN108471352B (en) | Processing method, system, computer equipment and storage medium based on distributed private key | |
US8516268B2 (en) | Secure field-programmable gate array (FPGA) architecture | |
US8966276B2 (en) | System and method providing disconnected authentication | |
US8059818B2 (en) | Accessing protected data on network storage from multiple devices | |
EP2020797B1 (en) | Client-server Opaque token passing apparatus and method | |
US9330245B2 (en) | Cloud-based data backup and sync with secure local storage of access keys | |
EP2204008B1 (en) | Credential provisioning | |
CN109728903B (en) | Block chain weak center password authorization method using attribute password | |
CN108737442A (en) | A kind of cryptographic check processing method | |
CN107920052B (en) | Encryption method and intelligent device | |
EP2339777A2 (en) | Method of authenticating a user to use a system | |
US20130097427A1 (en) | Soft-Token Authentication System | |
CN107453880A (en) | A kind of cloud secure storage method of data and system | |
CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
US8806216B2 (en) | Implementation process for the use of cryptographic data of a user stored in a data base | |
Xia et al. | Design of secure FTP system | |
US11463251B2 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
US11671475B2 (en) | Verification of data recipient | |
CN110768792B (en) | Main key generation method, device and encryption and decryption method for sensitive security parameters | |
EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
KR20100013486A (en) | Biometric authentication method, client and server | |
CN110535632A (en) | Based on unsymmetrical key pond to and DH agreement quantum communications service station AKA cryptographic key negotiation method and system | |
CN110138547A (en) | Based on unsymmetrical key pond to and sequence number quantum communications service station cryptographic key negotiation method and system | |
Doherty et al. | Dynamic symmetric key provisioning protocol (dskpp) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180904 |