CN109039627A

CN109039627A - Cryptographic key negotiation method, equipment, storage medium and system

Info

Publication number: CN109039627A
Application number: CN201811302448.3A
Authority: CN
Inventors: 王攀; 刘复鑫; 谢建军
Original assignee: Midea Group Co Ltd
Current assignee: Midea Group Co Ltd
Priority date: 2018-11-02
Filing date: 2018-11-02
Publication date: 2018-12-18

Abstract

The invention discloses a kind of cryptographic key negotiation methods, comprising the following steps: distribution net equipment is after receiving the key negotiation request message that non-distribution net equipment is sent, according to the non-distribution net equipment public key of the key negotiation request Receive message；Distribution net equipment private key has generated and has saved the first session key according to the non-distribution net equipment public key and；Distribution net equipment public key is back to the non-distribution net equipment, so that the non-distribution net equipment is when receiving the distribution net equipment public key, is generated according to the public key of distribution net equipment and non-distribution net equipment private key and saves the second session key.The invention also discloses a kind of distribution net equipment, non-distribution net equipment, computer readable storage medium and key agreement systems.The present invention realizes that non-distribution net equipment connects network automatically, to improve the communications security of home equipment.

Description

Cryptographic key negotiation method, equipment, storage medium and system

Technical field

The present invention relates to field of information security technology more particularly to a kind of cryptographic key negotiation method, distribution net equipment, non-distribution Equipment, computer readable storage medium and key agreement system.

Background technique

With the continuous development of information technology, smart machine is widely used in life.In new equipment distribution, usually The direct broadcast key of distribution net equipment, and distribution information is sent to new equipment, so that new equipment addition network, but this side Formula safety is lower.

Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill Art.

Summary of the invention

The main purpose of the present invention is to provide a kind of cryptographic key negotiation method, equipment, computer readable storage medium and Key agreement system, it is intended to realize that distribution net equipment searches for non-distribution net equipment automatically, and carry out key agreement with non-distribution net equipment Session key is obtained, non-distribution net equipment is sent to after distribution information is encrypted by session key, realizes that non-distribution net equipment is automatic Network is connected, to improve the communications security of home equipment.

To achieve the above object, the present invention provides a kind of cryptographic key negotiation method, and the cryptographic key negotiation method includes following step It is rapid:

Distribution net equipment is after receiving the key negotiation request message that non-distribution net equipment is sent, according to the key agreement Request message obtains non-distribution net equipment public key；

Distribution net equipment private key has generated and has saved the first session key according to the non-distribution net equipment public key and；

Distribution net equipment public key is back to the non-distribution net equipment, for the non-distribution net equipment receive it is described When distribution net equipment public key, is generated according to the public key of distribution net equipment and non-distribution net equipment private key and to save the second session close Key, wherein second session key and first session key be the distribution net equipment and the non-distribution net equipment it Between session key.

Preferably, the step of distribution net equipment public key non-according to the key negotiation request Receive message includes:

The distribution net equipment extracts non-distribution net equipment public key certificate from the key negotiation request message and root is public Key index；

The non-distribution net equipment public key is extracted from the non-distribution net equipment public key certificate according to root public key index.

Preferably, described that the non-distribution is extracted from the non-distribution net equipment public key certificate according to root public key index Before the step of equipment public key, further includes:

Hash operation is carried out to the presupposed information in the non-distribution net equipment public key certificate, obtains the second cryptographic Hash, it is described Presupposed information include certificate format, certificate serial number, hash algorithm mark, non-distribution net equipment public key algorithm mark and it is described not At least one of distribution net equipment public key；

When second cryptographic Hash is consistent with the first cryptographic Hash in the non-distribution net equipment public key certificate, then institute is executed State the step of non-distribution net equipment public key is extracted from the non-distribution net equipment public key certificate according to root public key index.

Preferably, the step of presupposed information in the non-distribution net equipment public key certificate carries out Hash operation it Before, further includes:

Using the signature result in non-distribution net equipment public key certificate described in predetermined server public key decryptions, third Hash is obtained Value, wherein the signature result is that Cloud Server is encrypted to obtain using predetermined server private key to first cryptographic Hash；

When the third cryptographic Hash is consistent with first cryptographic Hash, execute described to the non-distribution net equipment public key card The step of presupposed information in book carries out Hash operation.

Preferably, the distribution net equipment public key non-according to and distribution net equipment private key generates and saves the first session After the step of key, further includes:

First session key is encrypted according to preset algorithm and generates first key check value；

The public key of distribution net equipment and the first key check value are back to the non-distribution net equipment, wherein The non-distribution net equipment has been matched when receiving the distribution net equipment public key and the first key check value according to described Net equipment public key and the non-distribution net equipment private key generate the second session key, and according to the preset algorithm to described second Session key encryption generates the second keycheck value, consistent with the first key check value in second keycheck value When, save second session key, second session key and first session key be the distribution net equipment with Session key between the non-distribution net equipment.

Preferably, described that the step of generating first key check value is encrypted to first session key according to preset algorithm Later, further includes:

Distribution net equipment public key certificate and the first key check value are back to the non-distribution net equipment, wherein The non-distribution net equipment when receiving the distribution net equipment public key certificate and the first key check value, to it is described Distribution net equipment public key certificate carries out sign test, and after sign test passes through, and extraction is described from the public key certificate of distribution net equipment Distribution net equipment public key generates third session key according to the public key of distribution net equipment and the non-distribution net equipment private key, and The third session key is encrypted according to the preset algorithm and generates third keycheck value, in the third keycheck value When consistent with the first key check value, the third session key, the third session key and first meeting are saved Talking about key is the session key between distribution net equipment and the non-distribution net equipment.

Preferably, described that distribution net equipment public key certificate and the first key check value are back to the non-distribution After the step of equipment, further includes:

The distribution net equipment is when receiving the key agreement confirmation message that the non-distribution net equipment returns, using described Session key decrypts the key agreement confirmation message and obtains decrypted result；

When including preset field in the decrypted result, then distribution information is encrypted using first session key, and Encrypted distribution information is sent to the non-distribution net equipment, so that the non-distribution net equipment carries out distribution.

Preferably, described that the step of generating first key check value is encrypted to first session key according to preset algorithm Include:

Predetermined bite is encrypted according to first session key, obtains encrypted result；

Using the preset byte of the encrypted result as the first key check value.

To achieve the above object, the present invention also provides a kind of cryptographic key negotiation method, the cryptographic key negotiation method includes following Step:

Non- distribution net equipment generates key negotiation request message according to non-distribution net equipment public key and is sent to distribution net equipment, for The distribution net equipment non-distribution net equipment public key according to the key negotiation request Receive message, sets according to the non-distribution Standby public key and distribution net equipment private key generate and save the first session key, and by distribution net equipment public key be back to described in not Distribution net equipment；

The non-distribution net equipment when receiving the distribution net equipment public key, according to the public key of distribution net equipment and Non- distribution net equipment private key generates and saves the second session key, wherein second session key and first session key For the session key between the distribution net equipment and the non-distribution net equipment.

Preferably, the non-distribution net equipment generates key negotiation request message and is sent to and matched according to non-distribution net equipment public key After the step of net equipment, further includes:

The non-distribution net equipment is when receiving the distribution net equipment public key and first key check value, according to described Distribution net equipment public key and the non-distribution net equipment private key generate the second session key, and according to preset algorithm to described second Session key encryption generates the second keycheck value, consistent with the first key check value in second keycheck value When, save second session key, second session key and first session key be the distribution net equipment with Session key between the non-distribution net equipment, wherein the distribution net equipment is according to the preset algorithm to first meeting It talks about key encryption and generates first key check value, and the distribution net equipment public key and the first key check value are returned To the non-distribution net equipment.

The non-distribution net equipment is when receiving distribution net equipment public key certificate and the first key check value, from institute State and extract the distribution net equipment public key in distribution net equipment public key certificate, according to the public key of distribution net equipment and it is described not Distribution net equipment private key generates third session key, and is encrypted according to the preset algorithm to the third session key and generate third It is close to save the third session when the third keycheck value is consistent with the first key check value for keycheck value Key, the third session key and first session key are the meeting between distribution net equipment and the non-distribution net equipment Talk about key, wherein the distribution net equipment encrypts first session key according to the preset algorithm and generates first key Check value, and the public key certificate of distribution net equipment and the first key check value are back to the non-distribution net equipment.

Preferably, the described the step of distribution net equipment public key is extracted from the public key certificate of distribution net equipment it Before, further includes:

Hash operation is carried out to the presupposed information in the public key certificate of distribution net equipment, obtains the 5th cryptographic Hash, it is described Presupposed information include certificate format, certificate serial number, hash algorithm mark, distribution net equipment public key algorithm mark and it is described At least one of distribution net equipment public key；

When the 5th cryptographic Hash is consistent with the 4th cryptographic Hash in the public key certificate of distribution net equipment, then institute is executed State the step of distribution net equipment public key is extracted from the public key certificate of distribution net equipment.

Preferably, the step of presupposed information in the public key certificate of distribution net equipment carries out Hash operation it Before, further includes:

Using the signature result in distribution net equipment public key certificate described in predetermined server public key decryptions, the 6th Hash is obtained Value, wherein the signature result is that Cloud Server is encrypted to obtain using predetermined server private key to first cryptographic Hash；

When the 6th cryptographic Hash is consistent with the 4th cryptographic Hash, execute described to the public key of distribution net equipment card The step of presupposed information in book carries out Hash operation.

Preferably, the third session key and first session key are the distribution net equipment and the non-distribution After the step of session key between equipment, further includes:

The non-distribution net equipment encrypts preset field using the session key, obtains key agreement confirmation letter Breath；

The key agreement confirmation message is sent to the distribution net equipment, so that the distribution net equipment is receiving When the key agreement confirmation message, the key agreement confirmation message is decrypted using the session key and obtains decrypted result, When including the preset field in the decrypted result, then distribution information is encrypted using the session key, and will be after encryption Distribution information be sent to the non-distribution net equipment.

Preferably, described that the step of generating the second keycheck value is encrypted to second session key according to preset algorithm Include:

Predetermined bite is encrypted according to the session key, obtains encrypted result；

Using the preset byte of the encrypted result as second keycheck value.

To achieve the above object, the present invention also provides one kind, distribution net equipment, the distribution net equipment have included:

Memory, processor and it is stored in the key agreement journey that can be run on the memory and on the processor The step of sequence, the Key Agreement procedure realizes above-mentioned cryptographic key negotiation method when being executed by the processor.

To achieve the above object, the present invention also provides a kind of non-distribution net equipment, the non-distribution net equipment includes:

To achieve the above object, the present invention also provides a kind of computer readable storage medium, the computer-readable storages Key Agreement procedure is stored on medium, the Key Agreement procedure realizes above-mentioned cryptographic key negotiation method when being executed by processor Step.

To achieve the above object, the present invention also provides a kind of key agreement systems, and the key agreement system includes above-mentioned Distribution net equipment and above-mentioned non-distribution net equipment.

Cryptographic key negotiation method provided by the invention, distribution net equipment, non-distribution net equipment, computer readable storage medium and Key agreement system, distribution net equipment is set when receiving the non-distribution net equipment public key that non-distribution net equipment is sent according to non-distribution For public key and distribution net equipment private key generates and saves the first session key, and distribution net equipment public key is back to non-distribution Equipment, so that non-distribution net equipment generates and to save the second session close according to distribution net equipment public key and non-distribution net equipment private key Key.The present invention realizes that distribution net equipment searches for non-distribution net equipment automatically, and carries out key agreement with non-distribution net equipment and obtain session Key is sent to non-distribution net equipment after encrypting distribution information by session key, realize that non-distribution net equipment connects network automatically, To improve the communications security of home equipment.

Detailed description of the invention

Fig. 1 is the hardware running environment schematic diagram for the terminal that the embodiment of the present invention is related to；

Fig. 2 is the flow diagram of cryptographic key negotiation method first embodiment of the present invention；

Fig. 3 is the flow diagram of cryptographic key negotiation method second embodiment of the present invention；

Fig. 4 is the flow diagram of cryptographic key negotiation method 3rd embodiment of the present invention；

Fig. 5 is the flow diagram of cryptographic key negotiation method fourth embodiment of the present invention；

Fig. 6 is the flow diagram of the 5th embodiment of cryptographic key negotiation method of the present invention；

Fig. 7 is the flow diagram of cryptographic key negotiation method sixth embodiment of the present invention；

Fig. 8 is the flow diagram of the 7th embodiment of cryptographic key negotiation method of the present invention；

Fig. 9 is the flow diagram of the 8th embodiment of cryptographic key negotiation method of the present invention；

Figure 10 is the flow diagram of the 9th embodiment of cryptographic key negotiation method of the present invention；

Figure 11 is the flow diagram of the tenth embodiment of cryptographic key negotiation method of the present invention；

Figure 12 is the flow diagram of the 11st embodiment of cryptographic key negotiation method of the present invention；

Figure 13 is the flow diagram of the 12nd embodiment of cryptographic key negotiation method of the present invention；

Figure 14 is the flow diagram of the 13rd embodiment of cryptographic key negotiation method of the present invention；

Figure 15 is the flow diagram of the 14th embodiment of cryptographic key negotiation method of the present invention；

Figure 16 is the flow diagram of the 15th embodiment of cryptographic key negotiation method of the present invention.

The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.

Specific embodiment

It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.

The present invention provides a kind of cryptographic key negotiation method, it is intended to realize that distribution net equipment searches for non-distribution net equipment automatically, and with Non- distribution net equipment carries out key agreement and obtains session key, is sent to non-distribution after distribution information is encrypted by session key and sets It is standby, realize that non-distribution net equipment connects network automatically, to improve the communications security of home equipment.

As shown in Figure 1, Fig. 1 is the hardware running environment schematic diagram for the terminal that the embodiment of the present invention is related to.

The terminal of that embodiment of the invention can be smart machine, such as air conditioner, air regulator, electric cooker, intelligent door lock Deng.

As shown in Figure 1, the embodiment terminal may include: processor 1001, such as CPU, memory 1002, communication bus 1003.Wherein, communication bus 1003 is for realizing the connection communication between each building block in the server.Memory 1002 can To be high speed RAM memory, it is also possible to stable memory (non-volatile memory), such as magnetic disk storage.It deposits Reservoir 1002 optionally can also be the storage device independently of aforementioned processor 1001.

As shown in Figure 1, as may include Key Agreement procedure in a kind of memory 1002 of computer storage medium.

In embodiment terminal shown in Fig. 1, processor 1001 can be used for calling the key stored in memory 1002 Negotiation procedure, and execute following operation:

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Using the preset byte of the encrypted result as the first key check value.

Using the preset byte of the encrypted result as second keycheck value.

Referring to Fig. 2, in the first embodiment, the cryptographic key negotiation method includes:

Step S10, distribution net equipment is after receiving the key negotiation request message that non-distribution net equipment is sent, according to described The non-distribution net equipment public key of key negotiation request Receive message；

In the present embodiment, executing subject is distribution net equipment.Distribution net equipment can be air conditioner, air regulator, wash A variety of smart machines such as the mechanical, electrical rice cooker of clothing, intelligent door lock, the APP in terminal can be communicated by Cloud Server with equipment, I.e. user can be sent by APP and be instructed, to control smart machine.Under LAN environment, distribution net equipment can pass through The non-distribution net equipment being powered in WiFi module search preset range, examines the legitimacy of non-distribution net equipment, in non-distribution first When equipment is legal, then with non-distribution net equipment consult session key, and distribution information is sent to not by session key through consultation Distribution net equipment, so that non-distribution net equipment connects local area network automatically.

In the present embodiment, key negotiation request message is generated by non-distribution net equipment, and is sent to distribution net equipment, to Distribution net equipment initiates key negotiation request.It wherein, may include non-distribution net equipment public key etc. in key negotiation request message, it can also To include root public key index, non-distribution net equipment public key certificate etc., i.e., non-distribution net equipment public key can be non-distribution net equipment and generate, It can never extract in distribution net equipment public key certificate.Wherein, non-distribution net equipment public key certificate can be by decrypting predetermined server It obtains, predetermined server can be License server.Distribution net equipment is to the signature result in non-distribution net equipment public key certificate It carries out sign test and extracts the public key in non-distribution net equipment public key certificate by root public key index when sign test passes through.This kind of mode Increase the randomness of certificate.

Step S11, it is generated according to the non-distribution net equipment public key and distribution net equipment private key and to save the first session close Key；

In the present embodiment, distribution net equipment carries out non-distribution net equipment public key using distribution net equipment private key to be calculated One session key, it is preferable that first is calculated to non-distribution net equipment public key by ECDH algorithm using distribution net equipment private key Session key.

Step S12, distribution net equipment public key is back to the non-distribution net equipment, so that the non-distribution net equipment is receiving When to the public key of distribution net equipment, is generated according to the public key of distribution net equipment and non-distribution net equipment private key and save second Session key, wherein second session key and first session key distribution net equipment and the non-distribution for described in Session key between equipment.

Distribution net equipment public key is back to non-distribution net equipment by distribution net equipment, so that non-distribution net equipment is set using non-distribution Standby private key to distribution net equipment public key carries out that the second session key is calculated, it is preferable that is passed through using non-distribution net equipment private key The second session key is calculated to distribution net equipment public key in ECDH algorithm.

It should be noted that the first session key is consistent with the second session key due to the characteristic of ECDH algorithm, because This first session key and the second session key are the session key between distribution net equipment and non-distribution net equipment.First session is close The generating mode of key and the second session key is not limited to ECDH algorithm, is also possible to other algorithms, for example ECC algorithm, RSA are calculated Method, ECDSA algorithm etc., the present invention is not specifically limited.

In the first embodiment, distribution net equipment is when receiving the non-distribution net equipment public key that non-distribution net equipment is sent, root The first session key is generated and saved according to non-distribution net equipment public key and distribution net equipment private key, and distribution net equipment public key is returned It is back to non-distribution net equipment, so that non-distribution net equipment is generated according to distribution net equipment public key and non-distribution net equipment private key and saves Two session keys.In this way, realizing that distribution net equipment searches for non-distribution net equipment automatically, and key agreement is carried out with non-distribution net equipment and is obtained To session key, it is sent to non-distribution net equipment after distribution information is encrypted by session key, realizes that non-distribution net equipment connects automatically Network is connect, to improve the communications security of home equipment.

In a second embodiment, described according to the key as shown in figure 3, on the basis of above-mentioned embodiment shown in Fig. 2 Message of negotiation request obtain non-distribution net equipment public key the step of include:

Step S101, the described distribution net equipment extracts non-distribution net equipment public key certificate from the key negotiation request message And root public key index；

Step S102, the non-distribution is extracted from the non-distribution net equipment public key certificate according to root public key index to set Standby public key.

In the present embodiment, key negotiation request message is generated by non-distribution net equipment, and is sent to distribution net equipment, to Distribution net equipment initiates key negotiation request.It wherein, may include non-distribution net equipment public key etc. in key negotiation request message, it can also To include root public key index, non-distribution net equipment public key certificate etc..

Non- distribution net equipment public key can be non-distribution net equipment and generate, and can also never extract in distribution net equipment public key certificate, Wherein, non-distribution net equipment public key certificate can be obtained by decrypting predetermined server.Distribution net equipment is to non-distribution net equipment public key Signature result in certificate carries out sign test and extracts non-distribution net equipment public key certificate by root public key index when sign test passes through In public key.This kind of mode increases the randomness of certificate, it should be noted that predetermined server can be License service Device.

In a second embodiment, distribution net equipment extract equipment public key certificate and root from key negotiation request message is public Key index, and non-distribution net equipment public key is extracted according in root public key index never distribution net equipment certificate.In this way, increasing certificate Randomness further improves the communications security of home equipment.

In the third embodiment, described as shown in figure 4, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 3 According to root public key index before the step of extracting the non-distribution net equipment public key in the non-distribution net equipment public key certificate, Further include:

Step S103, Hash operation is carried out to the presupposed information in the non-distribution net equipment public key certificate, obtains the second Kazakhstan Uncommon value, the presupposed information include certificate format, certificate serial number, hash algorithm mark, non-distribution net equipment public key algorithm mark And at least one of described non-distribution net equipment public key；

Step S104, judge whether second cryptographic Hash and the first cryptographic Hash in the equipment public key certificate are consistent；

Step S105, consistent with the first cryptographic Hash in the non-distribution net equipment public key certificate in second cryptographic Hash When, then it executes described index according to the root public key and extracts the non-distribution net equipment public affairs from the non-distribution net equipment public key certificate The step of key.

In the present embodiment, before non-distribution net equipment public key is extracted in never distribution net equipment public key certificate, distribution net equipment Non- distribution net equipment public key certificate is verified.It specifically, include certificate format, certificate sequence in non-distribution net equipment public key certificate Number, hash algorithm mark, non-distribution net equipment public key algorithm mark, non-distribution net equipment public key, signature result and the first cryptographic Hash, Wherein, signature result is what predetermined server signed to the first cryptographic Hash using predetermined server private key, and first breathes out Uncommon value, which is predetermined server, to be carried out Hash operation to presupposed information and obtains, presupposed information include certificate format, certificate serial number, Hash algorithm mark, non-distribution net equipment public key algorithm mark and non-distribution net equipment public key.

Distribution net equipment carries out Hash operation to the presupposed information in non-distribution net equipment public key certificate and obtains the second cryptographic Hash, When the second cryptographic Hash is consistent with the first cryptographic Hash, then determine that non-distribution net equipment public key certificate is legal, then never distribution net equipment is public Non- distribution net equipment public key is extracted in key certificate.

In the third embodiment, distribution net equipment carries out Hash meter to the presupposed information in non-distribution net equipment public key certificate Calculate, obtain the second cryptographic Hash, and when the second cryptographic Hash is consistent with the first cryptographic Hash in non-distribution net equipment public key certificate, then from Non- distribution net equipment public key is extracted in non-distribution net equipment public key certificate.This way it is ensured that the legitimacy of certificate.

In the fourth embodiment, described as shown in figure 5, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 4 Before the step of carrying out Hash operation to the presupposed information in the non-distribution net equipment public key certificate, further includes:

Step S106, using the signature result in equipment public key certificate described in predetermined server public key decryptions, third is obtained Cryptographic Hash, wherein the signature result is that Cloud Server encrypts first cryptographic Hash using predetermined server private key It obtains；

Step S107, judge whether the third cryptographic Hash and first cryptographic Hash are consistent；

Step S108, it when the third cryptographic Hash is consistent with first cryptographic Hash, executes described to the non-distribution The step of presupposed information in equipment public key certificate carries out Hash operation.

Distribution net equipment has been using the signature result in the non-distribution net equipment public key certificate of predetermined server public key decryptions, obtains the Three cryptographic Hash, when third cryptographic Hash is consistent with the first cryptographic Hash, distribution net equipment is to pre- in non-distribution net equipment public key certificate If information carries out Hash operation and obtains the second cryptographic Hash, when the second cryptographic Hash is consistent with the first cryptographic Hash, then determine that certificate closes Method then never extracts non-distribution net equipment public key in distribution net equipment public key certificate.It should be noted that predetermined server can be License server.

In the fourth embodiment, distribution net equipment decrypts the signature result in non-distribution net equipment public key certificate, obtains third Cryptographic Hash, when third cryptographic Hash is consistent with the first cryptographic Hash in equipment public key certificate, then to non-distribution net equipment public key certificate In presupposed information carry out Hash operation.In this way, further ensuring the legitimacy of certificate.

In the 5th embodiment, described as shown in fig. 6, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 5 After the step of according to the non-distribution net equipment public key and distribution net equipment private key generates and saves the first session key, also wrap It includes:

Step S13, first session key is encrypted according to preset algorithm and generates first key check value；

Step S14, the public key of distribution net equipment and the first key check value the non-distribution is back to set It is standby, wherein the non-distribution net equipment when receiving the distribution net equipment public key and the first key check value, according to The public key of distribution net equipment and the non-distribution net equipment private key generate the second session key, and according to the preset algorithm pair The second session key encryption generates the second keycheck value, verifies in second keycheck value and the first key When being worth consistent, second session key is saved, second session key and first session key are the distribution Session key between equipment and the non-distribution net equipment.

In the present embodiment, non-distribution net equipment generates non-distribution net equipment public key and non-distribution net equipment private key, wherein non-distribution Equipment public key and non-distribution net equipment private key can be temporary key pair.It is public according to non-distribution net equipment public key and non-distribution net equipment Key validity period mark generates key negotiation request message and is sent to distribution net equipment.Distribution net equipment is according to preset algorithm to first Session key encryption generates first key check value, wherein the first default check value is for verifying session key.Preferably, root Encrypting the step of generating first key check value to the first session key according to preset algorithm may is that according to the first session key pair Predetermined bite is encrypted, and obtains encrypted result, and using the preset byte of encrypted result as first key check value.Certainly, There can also be an other way, for example encrypt the first session key using key, using encrypted result as first key check value etc., The present invention is not especially limited.

Distribution net equipment public key and first key check value are back to non-distribution net equipment by distribution net equipment, for not matching The non-distribution net equipment private key of net equipment utilization carries out distribution net equipment public key the second session key is calculated, and according to pre- imputation Method, which encrypts the second session key, generates the second keycheck value, consistent with first key check value in the second keycheck value When, save the second session key.Preferably, distribution net equipment public key is calculated by ECDH algorithm using non-distribution net equipment private key Obtain the second session key.Encrypting the step of generating the second keycheck value to the second session key according to preset algorithm can be with Be: predetermined bite being encrypted according to the second session key, obtain encrypted result, and using the preset byte of encrypted result as Second keycheck value.

It is verified it should be noted that session key also can use other way, the present invention is not specifically limited.Than Such as, operation is carried out to the first session key according to SHA256 algorithm and obtains the first summary info, non-distribution net equipment is according to SHA256 Algorithm carries out operation to the second session key and obtains the second summary info, consistent with the first summary info in the second summary info When, then the first session key and the second session key are the session key between distribution net equipment and non-distribution net equipment.

In the 5th embodiment, session key is verified using first key check value and the second keycheck value, in this way, Further enhance non-distribution net equipment and between distribution net equipment key agreement safety.

In the sixth embodiment, described as shown in fig. 7, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 6 After the step of encrypting generation first key check value to first session key according to preset algorithm, further includes:

Step S15, distribution net equipment public key certificate and the first key check value the non-distribution is back to set It is standby, wherein the non-distribution net equipment when receiving the distribution net equipment public key certificate and the first key check value, Sign test is carried out to the public key certificate of distribution net equipment, and after sign test passes through, is mentioned from the public key certificate of distribution net equipment The distribution net equipment public key is taken, third session is generated according to the public key of distribution net equipment and the non-distribution net equipment private key Key, and the third session key is encrypted according to the preset algorithm and generates third keycheck value, it is close in the third When key check value is consistent with the first key check value, the third session key, the third session key and institute are saved Stating the first session key is the session key between distribution net equipment and the non-distribution net equipment.

In the present embodiment, distribution net equipment public key can be distribution net equipment generation, can also be from distribution net equipment public key It is extracted in certificate, wherein distribution net equipment public key certificate can be obtained by decrypting predetermined server.Non- distribution net equipment is to having matched Signature result in net equipment public key certificate carries out sign test and extracts distribution by root public key index when sign test passes through and set Public key in standby public key certificate.This kind of mode increases the randomness of certificate.It should be noted that predetermined server can be License server.

Before extracting distribution net equipment public key in distribution net equipment public key certificate, non-distribution net equipment is to distribution net equipment Public key certificate is verified.It specifically, include certificate format, certificate serial number, hash algorithm in distribution net equipment public key certificate Mark, distribution net equipment public key algorithm mark, distribution net equipment public key, signature result and the 4th cryptographic Hash, wherein signature knot Fruit is what predetermined server signed to the 4th cryptographic Hash using predetermined server private key, and the 4th cryptographic Hash is default clothes Business device carries out what Hash operation obtained to presupposed information, and presupposed information includes certificate format, certificate serial number, hash algorithm mark Knowledge, distribution net equipment public key algorithm mark and distribution net equipment public key.

Non- distribution net equipment obtains the using the predetermined server public key decryptions signature result in distribution net equipment public key certificate Six cryptographic Hash, when the 6th cryptographic Hash is consistent with the 4th cryptographic Hash, non-distribution net equipment is to the default letter in distribution net equipment certificate Breath carries out Hash operation and obtains the 5th cryptographic Hash, when the 5th cryptographic Hash is consistent with the 4th cryptographic Hash, then determines that certificate is legal, then Distribution net equipment public key is extracted from distribution net equipment certificate.

In the sixth embodiment, non-distribution net equipment extracts distribution net equipment public key from distribution net equipment public key certificate, this Sample realizes that certificate between distribution net equipment and non-distribution net equipment is mutually tested, and strengthens non-distribution net equipment and between distribution net equipment The safety of key agreement.

In the seventh embodiment, described as shown in figure 8, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 7 After the step of distribution net equipment public key certificate and the first key check value are back to the non-distribution net equipment, also wrap It includes:

Step S16, when the key agreement confirmation message that the described distribution net equipment non-distribution net equipment described in receiving returns, The key agreement confirmation message, which is decrypted, using the session key obtains decrypted result；

Step S17, when in the decrypted result including preset field, then distribution is encrypted using first session key Information, and encrypted distribution information is sent to the non-distribution net equipment, so that the non-distribution net equipment carries out distribution.

In the present embodiment, non-distribution net equipment encrypts preset field using session key, or non-distribution net equipment benefit Preset field and random number are encrypted with session key, obtain key agreement confirmation message, and by key agreement confirmation letter Breath is sent to distribution net equipment, so that distribution net equipment is decrypted when receiving key agreement confirmation message using session key Key agreement confirmation message obtains decrypted result, when including preset field in decrypted result, then sends encrypted distribution letter It ceases to non-distribution net equipment.Wherein, preset field can be characters such as " OK ".

It should be noted that distribution information may include SSID, password and User ID etc..Distribution net equipment is close by session Key encrypts distribution information, and non-distribution net equipment is decrypted when receiving encrypted distribution information by session key Local area network is connected automatically to distribution information, and according to distribution information.

In the seventh embodiment, distribution net equipment when receiving the key agreement confirmation message that non-distribution net equipment returns, Negotiate confirmation message using session key decruption key and obtain decrypted result, when including preset field in decrypted result, then sends out Send encrypted distribution information to non-distribution net equipment.In this way, realizing that non-distribution net equipment connects local area network automatically.

In the eighth embodiment, described as shown in figure 9, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 8 Encrypting the step of generating first key check value to first session key according to preset algorithm includes:

Step S131, predetermined bite is encrypted according to first session key, obtains encrypted result；

Step S132, using the preset byte of the encrypted result as the first key check value.

In the present embodiment, distribution net equipment encrypts the first session key according to preset algorithm and generates first key verification Value, wherein the first default check value is for verifying session key.Preferably, the first session key is encrypted according to preset algorithm The step of generating first key check value, which may is that, encrypts predetermined bite according to the first session key, obtains encryption knot Fruit, and using the preset byte of encrypted result as first key check value.It should be noted that predetermined bite can be 16 words Section, preset byte can be first three byte.

It should be noted that session key can also be verified otherwise, the present invention is not specifically limited.For example, according to SHA256 algorithm carries out operation to the first session key and obtains the first summary info, and terminal is according to SHA256 algorithm to the second session Key carries out operation and obtains the second summary info, and when the second summary info is consistent with the first summary info, then the first session is close Key and the second session key are non-distribution net equipment and the session key between distribution net equipment.

In the eighth embodiment, predetermined bite is encrypted according to the first session key to obtain encrypted result, and will be added The preset byte of close result is as first key check value.This way it is ensured that key between non-distribution net equipment and distribution net equipment The safety of negotiation.

The present invention also provides a kind of cryptographic key negotiation methods, as shown in Figure 10, in the 9th embodiment, the key agreement side Method the following steps are included:

Step S20, non-distribution net equipment generates key negotiation request message according to non-distribution net equipment public key and is sent to distribution Equipment, for the distribution net equipment non-distribution net equipment public key according to the key negotiation request Receive message, according to institute It states non-distribution net equipment public key and distribution net equipment private key generates and save the first session key, and distribution net equipment public key is returned It is back to the non-distribution net equipment；

Step S21, the described non-distribution net equipment is when receiving the distribution net equipment public key, according to the distribution net equipment Public key and non-distribution net equipment private key generate and save the second session key, wherein second session key and described first Session key is the session key between distribution net equipment and the non-distribution net equipment.

In the present embodiment, executing subject is non-distribution net equipment.Non- distribution net equipment can be air conditioner, air regulator, wash A variety of smart machines such as the mechanical, electrical rice cooker of clothing, intelligent door lock, the APP in terminal can be communicated by Cloud Server with equipment, I.e. user can be sent by APP and be instructed, to control smart machine.Under LAN environment, distribution net equipment can pass through The non-distribution net equipment being powered in WiFi module search preset range, examines the legitimacy of non-distribution net equipment, in non-distribution first When equipment is legal, then with non-distribution net equipment consult session key, and distribution information is sent to not by session key through consultation Distribution net equipment, so that non-distribution net equipment connects local area network automatically.

In the present embodiment, distribution net equipment carries out non-distribution net equipment public key using distribution net equipment private key to be calculated One session key, it is preferable that first is calculated to non-distribution net equipment public key by ECDH algorithm using distribution net equipment private key Session key.Distribution net equipment public key is back to non-distribution net equipment by distribution net equipment, so that non-distribution net equipment utilizes non-distribution Device private to distribution net equipment public key carries out that the second session key is calculated, it is preferable that logical using non-distribution net equipment private key It crosses ECDH algorithm and the second session key is calculated to distribution net equipment public key.

In the 9th embodiment, distribution net equipment is when receiving the non-distribution net equipment public key that non-distribution net equipment is sent, root The first session key is generated and saved according to non-distribution net equipment public key and distribution net equipment private key, and distribution net equipment public key is returned It is back to non-distribution net equipment, so that non-distribution net equipment is generated according to distribution net equipment public key and non-distribution net equipment private key and saves Two session keys.In this way, realizing that distribution net equipment searches for non-distribution net equipment automatically, and key agreement is carried out with non-distribution net equipment and is obtained To session key, it is sent to non-distribution net equipment after distribution information is encrypted by session key, realizes that non-distribution net equipment connects automatically Network is connect, to improve the communications security of home equipment.

In the tenth embodiment, as shown in figure 11, on the basis of above-mentioned embodiment shown in Fig. 10, the non-distribution net equipment After the step of being sent to distribution net equipment according to non-distribution net equipment public key generation key negotiation request message, further includes:

Step S22, the described non-distribution net equipment when receiving the distribution net equipment public key and first key check value, The second session key is generated according to the public key of distribution net equipment and the non-distribution net equipment private key, and according to preset algorithm pair The second session key encryption generates the second keycheck value, verifies in second keycheck value and the first key When being worth consistent, second session key is saved, second session key and first session key are the distribution Session key between equipment and the non-distribution net equipment, wherein the distribution net equipment is according to the preset algorithm to described The encryption of first session key generates first key check value, and will the distribution net equipment public key and first key verification Value is back to the non-distribution net equipment.

In the present embodiment, non-distribution net equipment generates non-distribution net equipment public key and non-distribution net equipment private key, wherein non-distribution Equipment public key and non-distribution net equipment private key can be temporary key pair.According to non-distribution net equipment public key, non-distribution net equipment public key Validity period mark and ciphertext data generate key negotiation request message and are sent to distribution net equipment.Distribution net equipment is receiving When key negotiation request message, it is decrypted to obtain the second random number by predetermined server key pair ciphertext data, and by Two random numbers are compared with the first random number, when the second random number is consistent with the first random number, then determine non-distribution net equipment It is legal.Distribution net equipment to non-distribution net equipment public key carries out that the first session key is calculated using distribution net equipment private key, makes The first session key is calculated to non-distribution net equipment public key by ECDH algorithm with distribution net equipment private key.

Distribution net equipment encrypts the first session key according to preset algorithm and generates first key check value, wherein first Default check value is for verifying session key.Preferably, the first session key is encrypted according to preset algorithm and generates first key The step of check value, which may is that, encrypts predetermined bite according to the first session key, obtains encrypted result, and encryption is tied The preset byte of fruit is as first key check value.It is of course also possible to there is other way, for example the first session is encrypted using key Key, using encrypted result as first key check value etc., the present invention is not especially limited.

In the tenth embodiment, session key is verified using first key check value and the second keycheck value, in this way, Further enhance non-distribution net equipment and between distribution net equipment key agreement safety.

In the 11st embodiment, referring to Fig.1 2, on the basis of the embodiment shown in above-mentioned Figure 10 to any one of Figure 11, institute After stating the step of non-distribution net equipment is sent to distribution net equipment according to non-distribution net equipment public key generation key negotiation request message, Further include:

Step S23, the described non-distribution net equipment is receiving distribution net equipment public key certificate and first key verification When value, the distribution net equipment public key is extracted from the public key certificate of distribution net equipment, according to the distribution net equipment public key And the non-distribution net equipment private key generates third session key, and is added according to the preset algorithm to the third session key It is dense at third keycheck value, when the third keycheck value is consistent with the first key check value, described in preservation Third session key, the third session key set for the distribution net equipment with the non-distribution with first session key Session key between standby, wherein the distribution net equipment encrypts first session key according to the preset algorithm and gives birth to At first key check value, and by the public key certificate of distribution net equipment and the first key check value be back to it is described not Distribution net equipment.

In the 11st embodiment, non-distribution net equipment extracts distribution net equipment public key from distribution net equipment public key certificate, In this way, realize that certificate between distribution net equipment and non-distribution net equipment is mutually tested, strengthen non-distribution net equipment and distribution net equipment it Between key agreement safety.

In the 12nd embodiment, as shown in figure 13, on the basis of the embodiment shown in above-mentioned Figure 10 to any one of Figure 12, Before the step of distribution net equipment public key described from extraction in the public key certificate of distribution net equipment, further includes:

Step S24, Hash operation is carried out to the presupposed information in the public key certificate of distribution net equipment, obtains the 5th Hash Value, the presupposed information include certificate format, certificate serial number, hash algorithm mark, distribution net equipment public key algorithm mark with And at least one of described public key of distribution net equipment；

Step S25, judge whether the 5th cryptographic Hash and the 4th cryptographic Hash in the equipment public key certificate are consistent；

Step S26, when the 5th cryptographic Hash is consistent with the 4th cryptographic Hash in the public key certificate of distribution net equipment, Then execute the described the step of distribution net equipment public key is extracted from the public key certificate of distribution net equipment.

Non- distribution net equipment carries out Hash operation to the presupposed information in distribution net equipment certificate and obtains the 5th cryptographic Hash, the When five cryptographic Hash are consistent with the 4th cryptographic Hash, then determine that non-distribution net equipment public key certificate is legal, then never distribution net equipment public key is demonstrate,proved Non- distribution net equipment public key is extracted in book.

In the 12nd embodiment, distribution net equipment carries out Hash meter to the presupposed information in non-distribution net equipment public key certificate Calculate, obtain the second cryptographic Hash, and when the second cryptographic Hash is consistent with the first cryptographic Hash in non-distribution net equipment public key certificate, then from Non- distribution net equipment public key is extracted in non-distribution net equipment public key certificate.This way it is ensured that the legitimacy of certificate.

In the 13rd embodiment, as shown in figure 14, on the basis of the embodiment shown in above-mentioned Figure 10 to any one of Figure 13, Before the step of presupposed information in the public key certificate of distribution net equipment carries out Hash operation, further includes:

Step S27, it using the signature result in distribution net equipment public key certificate described in predetermined server public key decryptions, obtains 6th cryptographic Hash, wherein the signature result is that Cloud Server carries out first cryptographic Hash using predetermined server private key Encryption obtains；

Step S28, judge whether the 6th cryptographic Hash and the 4th cryptographic Hash are consistent；

Step S29, when the 6th cryptographic Hash is consistent with the 4th cryptographic Hash, execution is described to set the distribution The step of presupposed information in standby public key certificate carries out Hash operation.

Non- distribution net equipment obtains the using the predetermined server public key decryptions signature result in distribution net equipment public key certificate Six cryptographic Hash, when the 6th cryptographic Hash is consistent with the 4th cryptographic Hash, non-distribution net equipment is to the default letter in distribution net equipment certificate Breath carries out Hash operation and obtains the 5th cryptographic Hash, when the 5th cryptographic Hash is consistent with the 4th cryptographic Hash, then determines that certificate is legal, then Distribution net equipment public key is extracted from distribution net equipment certificate.It should be noted that predetermined server can be License service Device.

In the 13rd embodiment, the non-distribution net equipment decryption signature result in distribution net equipment public key certificate obtains the Six cryptographic Hash, when the 6th cryptographic Hash is consistent with the 4th cryptographic Hash in distribution net equipment public key certificate, then to distribution net equipment Presupposed information in public key certificate carries out Hash operation.In this way, further ensuring the legitimacy of certificate.

Referring to Fig.1 5, in the 14th embodiment, on the basis of the embodiment shown in above-mentioned Figure 10 to any one of Figure 14, institute It states third session key and first session key is that the session between distribution net equipment and the non-distribution net equipment is close After the step of key, further includes:

Step S30, the described non-distribution net equipment encrypts preset field using the session key, obtains key agreement Confirmation message；

Step S31, the key agreement confirmation message is sent to the distribution net equipment, for the distribution net equipment When receiving the key agreement confirmation message, the key agreement confirmation message is decrypted using the session key and is solved It is close as a result, in the decrypted result include the preset field when, then using the session key encrypt distribution information, and will Encrypted distribution information is sent to the non-distribution net equipment.

In the 14th embodiment, distribution net equipment is in the key agreement confirmation message for receiving non-distribution net equipment return When, negotiate confirmation message using session key decruption key and obtain decrypted result, when including preset field in decrypted result, then Encrypted distribution information is sent to non-distribution net equipment.In this way, realizing that non-distribution net equipment connects local area network automatically.

In the 15th embodiment, as shown in figure 16, on the basis of the embodiment shown in above-mentioned Figure 10 to any one of Figure 15, It is described to include: to the step of second session key encryption the second keycheck value of generation according to preset algorithm

Step S221, predetermined bite is encrypted according to the session key, obtains encrypted result；

Step S222, using the preset byte of the encrypted result as second keycheck value.

In the present embodiment, non-distribution net equipment encrypts the second session key according to preset algorithm and generates the second key verification Value, wherein the second default check value is for verifying session key.Preferably, the second session key is encrypted according to preset algorithm The step of generating the second keycheck value, which may is that, encrypts predetermined bite according to the second session key, obtains encryption knot Fruit, and using the preset byte of encrypted result as the second keycheck value.It should be noted that predetermined bite can be 16 words Section, preset byte can be first three byte.

In the 15th embodiment, predetermined bite is encrypted according to the second session key to obtain encrypted result, and will The preset byte of encrypted result is as the second keycheck value.This way it is ensured that close between non-distribution net equipment and distribution net equipment The safety that key is negotiated.

In addition, the present invention also proposes that distribution net equipment, the distribution net equipment include memory, processor and storage to one kind On a memory and the Key Agreement procedure that can run on a processor, it is to hold that the processor, which executes above-mentioned distribution net equipment such as, The step of cryptographic key negotiation method under row main body.

In addition, the present invention also proposes a kind of non-distribution net equipment, the non-distribution net equipment includes memory, processor and storage On a memory and the Key Agreement procedure that can run on a processor, it is to hold that the processor, which executes above-mentioned non-distribution net equipment such as, The step of cryptographic key negotiation method under row main body.

In addition, the present invention also proposes that a kind of computer readable storage medium, the computer readable storage medium include close Key negotiation procedure, the Key Agreement procedure realize cryptographic key negotiation method as described above in Example when being executed by processor Step.

In addition, the present invention also proposes that a kind of key agreement system, the key agreement system include above-mentioned distribution net equipment, And above-mentioned non-distribution net equipment.

The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.

Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in one as described above In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that one (can be television set, mobile phone, meter Calculation machine, server, air conditioner or network etc.) execute method described in each embodiment of the present invention.

The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims

1. a kind of cryptographic key negotiation method, which is characterized in that the cryptographic key negotiation method the following steps are included:

Distribution net equipment is after receiving the key negotiation request message that non-distribution net equipment is sent, according to the key negotiation request The non-distribution net equipment public key of Receive message；

Distribution net equipment public key is back to the non-distribution net equipment, so that the non-distribution net equipment is receiving the distribution When equipment public key, the second session key is generated and saves according to the public key of distribution net equipment and non-distribution net equipment private key, In, second session key and first session key are the meeting between distribution net equipment and the non-distribution net equipment Talk about key.

2. cryptographic key negotiation method as described in claim 1, which is characterized in that described to be obtained according to the key negotiation request message The step of taking non-distribution net equipment public key include:

The distribution net equipment extracts non-distribution net equipment public key certificate and root public key rope from the key negotiation request message Draw；

3. cryptographic key negotiation method as claimed in claim 2, which is characterized in that it is described according to the root public key index from it is described not Before the step of extracting the non-distribution net equipment public key in distribution net equipment public key certificate, further includes:

Hash operation is carried out to the presupposed information in the non-distribution net equipment public key certificate, obtains the second cryptographic Hash, it is described default Information includes certificate format, certificate serial number, hash algorithm mark, non-distribution net equipment public key algorithm mark and the non-distribution At least one of equipment public key；

When second cryptographic Hash is consistent with the first cryptographic Hash in the non-distribution net equipment public key certificate, then described is executed The step of non-distribution net equipment public key is extracted from the non-distribution net equipment public key certificate according to root public key index.

4. cryptographic key negotiation method as claimed in claim 3, which is characterized in that described in the non-distribution net equipment public key certificate Presupposed information carry out Hash operation the step of before, further includes:

Using the signature result in non-distribution net equipment public key certificate described in predetermined server public key decryptions, third cryptographic Hash is obtained, Wherein, the signature result is that Cloud Server is encrypted to obtain using predetermined server private key to first cryptographic Hash；

When the third cryptographic Hash is consistent with first cryptographic Hash, execute described in the non-distribution net equipment public key certificate Presupposed information carry out Hash operation the step of.

5. cryptographic key negotiation method as described in claim 1, which is characterized in that the distribution net equipment public key non-according to and After the step of distribution net equipment private key generates and saves the first session key, further includes:

The public key of distribution net equipment and the first key check value are back to the non-distribution net equipment, wherein described Non- distribution net equipment is set when receiving the distribution net equipment public key and the first key check value according to the distribution Standby public key and the non-distribution net equipment private key generate the second session key, and according to the preset algorithm to second session Key encryption generates the second keycheck value, when second keycheck value is consistent with the first key check value, protects Deposit second session key, second session key and first session key be the distribution net equipment and it is described not Session key between distribution net equipment.

6. cryptographic key negotiation method as claimed in claim 5, which is characterized in that it is described according to preset algorithm to first session After the step of key encryption generates first key check value, further includes:

Distribution net equipment public key certificate and the first key check value are back to the non-distribution net equipment, wherein described Non- distribution net equipment is when receiving the distribution net equipment public key certificate and the first key check value, to the distribution Equipment public key certificate carries out sign test, and after sign test passes through, and the distribution is extracted from the public key certificate of distribution net equipment Equipment public key, according to the public key of distribution net equipment and the non-distribution net equipment private key generation third session key, and according to The preset algorithm encrypts the third session key and generates third keycheck value, in the third keycheck value and institute State first key check value it is consistent when, save the third session key, the third session key and first session are close Key is the session key between distribution net equipment and the non-distribution net equipment.

7. cryptographic key negotiation method as claimed in claim 6, which is characterized in that described by distribution net equipment public key certificate and institute After stating the step of first key check value is back to the non-distribution net equipment, further includes:

The distribution net equipment utilizes the session when receiving the key agreement confirmation message that the non-distribution net equipment returns Key decrypts the key agreement confirmation message and obtains decrypted result；

When including preset field in the decrypted result, then distribution information is encrypted using first session key, and will add Distribution information after close is sent to the non-distribution net equipment, so that the non-distribution net equipment carries out distribution.

8. cryptographic key negotiation method as claimed in claim 6, which is characterized in that it is described according to preset algorithm to first session Key encryption generate first key check value the step of include:

Using the preset byte of the encrypted result as the first key check value.

9. a kind of cryptographic key negotiation method, which is characterized in that the cryptographic key negotiation method the following steps are included:

Non- distribution net equipment generates key negotiation request message according to non-distribution net equipment public key and is sent to distribution net equipment, for described Distribution net equipment non-distribution net equipment public key according to the key negotiation request Receive message, it is public according to the non-distribution net equipment Key and distribution net equipment private key generate and save the first session key, and distribution net equipment public key is back to the non-distribution Equipment；

The non-distribution net equipment is not matched according to the public key of distribution net equipment and when receiving the distribution net equipment public key Net device private generates and saves the second session key, wherein second session key and first session key are institute State the session key between distribution net equipment and the non-distribution net equipment.

10. cryptographic key negotiation method as claimed in claim 9, which is characterized in that the non-distribution net equipment is according to non-distribution net equipment Public key generated after the step of key negotiation request message is sent to distribution net equipment, further includes:

The non-distribution net equipment has been matched when receiving the distribution net equipment public key and first key check value according to described Net equipment public key and the non-distribution net equipment private key generate the second session key, and according to preset algorithm to second session Key encryption generates the second keycheck value, when second keycheck value is consistent with the first key check value, protects Deposit second session key, second session key and first session key be the distribution net equipment and it is described not Session key between distribution net equipment, wherein the distribution net equipment is according to the preset algorithm to first session key Encryption generates first key check value, and the public key of distribution net equipment and the first key check value is back to described Non- distribution net equipment.

11. cryptographic key negotiation method as claimed in claim 10, which is characterized in that the non-distribution net equipment is according to non-distribution net equipment Public key generated after the step of key negotiation request message is sent to distribution net equipment, further includes:

The non-distribution net equipment when receiving distribution net equipment public key certificate and the first key check value, from it is described The distribution net equipment public key is extracted in distribution net equipment public key certificate, according to the public key of distribution net equipment and the non-distribution Device private generates third session key, and is encrypted according to the preset algorithm to the third session key and generate third key Check value saves the third session key, institute when the third keycheck value is consistent with the first key check value It states third session key and first session key is that the session between distribution net equipment and the non-distribution net equipment is close Key, wherein the distribution net equipment encrypts first session key according to the preset algorithm and generates first key verification Value, and the public key certificate of distribution net equipment and the first key check value are back to the non-distribution net equipment.

12. cryptographic key negotiation method as claimed in claim 11, which is characterized in that described from the distribution net equipment public key certificate Described in middle extraction distribution net equipment public key the step of before, further includes:

Hash operation is carried out to the presupposed information in the public key certificate of distribution net equipment, obtains the 5th cryptographic Hash, it is described default Information includes certificate format, certificate serial number, hash algorithm mark, distribution net equipment public key algorithm mark and the distribution At least one of equipment public key；

When the 5th cryptographic Hash is consistent with the 4th cryptographic Hash in the public key certificate of distribution net equipment, then execute it is described from The step of distribution net equipment public key is extracted in the public key certificate of distribution net equipment.

13. cryptographic key negotiation method as claimed in claim 12, which is characterized in that described to the distribution net equipment public key certificate In presupposed information carry out Hash operation the step of before, further includes:

Using the signature result in distribution net equipment public key certificate described in predetermined server public key decryptions, the 6th cryptographic Hash is obtained, Wherein, the signature result is that Cloud Server is encrypted to obtain using predetermined server private key to first cryptographic Hash；

When the 6th cryptographic Hash is consistent with the 4th cryptographic Hash, execute described in the public key certificate of distribution net equipment Presupposed information carry out Hash operation the step of.

14. cryptographic key negotiation method as claimed in claim 11, which is characterized in that the third session key and first meeting After talking about the step of key is the session key between distribution net equipment and the non-distribution net equipment, further includes:

The non-distribution net equipment encrypts preset field using the session key, obtains key agreement confirmation message；

The key agreement confirmation message is sent to the distribution net equipment, for the distribution net equipment receive it is described When key agreement confirmation message, the key agreement confirmation message is decrypted using the session key and obtains decrypted result, in institute When stating in decrypted result comprising the preset field, then distribution information is encrypted using the session key, and match encrypted Net information is sent to the non-distribution net equipment.

15. cryptographic key negotiation method as claimed in claim 11, which is characterized in that it is described according to preset algorithm to second meeting Words key encrypts the step of generating the second keycheck value

Using the preset byte of the encrypted result as second keycheck value.

16. a kind of distribution net equipment, which is characterized in that the Cloud Server includes memory, processor and is stored in described deposit On reservoir and the Key Agreement procedure that can run on the processor, when the Key Agreement procedure is executed by the processor It realizes such as the step of cryptographic key negotiation method described in any item of the claim 1 to 8.

17. a kind of non-distribution net equipment, which is characterized in that the equipment includes memory, processor and is stored in the memory Key Agreement procedure that is upper and can running on the processor, the Key Agreement procedure are realized when being executed by the processor The step of cryptographic key negotiation method as described in any one of claim 9 to 15.

18. a kind of computer readable storage medium, which is characterized in that be stored with key association on the computer readable storage medium Quotient's program realizes the key association as described in any one of claims 1 to 15 when the Key Agreement procedure is executed by processor The step of quotient's method.

19. a kind of key agreement system, which is characterized in that the key agreement system include as described in claim 16 Distribution net equipment, and non-distribution net equipment as described in claim 17.