CN109040149A - Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system - Google Patents

Abstract

The invention discloses a kind of cryptographic key negotiation methods, comprising the following steps: Cloud Server is after the key negotiation request message for receiving equipment transmission, according to the key negotiation request Receive message equipment public key certificate；Sign test is carried out to the signature result in the equipment public key certificate using predetermined server public key, and when sign test passes through, the extract equipment public key from the equipment public key certificate；The Cloud Server generates the second key, and by second key using the equipment is sent to after the equipment public key encryption, to carry out the key agreement between the Cloud Server and the equipment.The invention also discloses a kind of Cloud Server, equipment, computer readable storage medium and key agreement systems.Invention increases the randomnesss of certificate, to increase the difficulty that packet capturing obtains authentication information, strengthen the safety of cipher key agreement process.

Description

Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system

Technical field

The present invention relates to field of information security technology more particularly to a kind of cryptographic key negotiation method, Cloud Server, equipment, meters Calculation machine readable storage medium storing program for executing and key agreement system.

Background technique

In the prior art, Cloud Server determines that the legitimacy of equipment generally passes through pre-set device certificate in equipment, Or pre-set public key confirms in equipment, but this mode safety is lower, for example is easy to appear packet capturing and obtains body The case where part authentication information.

Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill Art.

Summary of the invention

The main purpose of the present invention is to provide a kind of cryptographic key negotiation method, Cloud Server, equipment, computer-readable storages Medium and key agreement system, it is intended to increase the randomness of certificate, thus increase the difficulty that packet capturing obtains authentication information, Reinforce the safety of cipher key agreement process.

To achieve the above object, the present invention provides a kind of cryptographic key negotiation method, and the cryptographic key negotiation method includes following step It is rapid:

Cloud Server is after the key negotiation request message for receiving equipment transmission, according to the key negotiation request message Obtain equipment public key certificate；

Sign test is carried out to the signature result in the equipment public key certificate using predetermined server public key, and is passed through in sign test When, the extract equipment public key from the equipment public key certificate；

The Cloud Server generates the second key, and by second key using obtaining the after the equipment public key encryption The second ciphertext data are sent to the equipment, to carry out between the Cloud Server and the equipment by two ciphertext data Key agreement.

Preferably, second key is random number.

Preferably, described that sign test is carried out to the signature result in the equipment public key certificate using predetermined server public key Step includes:

Using the signature result in equipment public key certificate described in the predetermined server public key decryptions, third Hash is obtained Value, wherein the signature result is that the Cloud Server encrypts first cryptographic Hash using predetermined server private key It obtains；

When the third cryptographic Hash is consistent with first cryptographic Hash, to the presupposed information in the equipment public key certificate Carry out Hash operation, obtain the second cryptographic Hash, the presupposed information include certificate format, certificate serial number, hash algorithm mark, At least one of equipment public key algorithm mark and the equipment public key；

When second cryptographic Hash is consistent with the first cryptographic Hash in the equipment public key certificate, then determine that sign test is logical It crosses.

Preferably, include: the step of progress key agreement between the Cloud Server and the equipment

The Cloud Server passes through Cloud Server private according to the first ciphertext of key negotiation request Receive message data Key decrypts the first ciphertext data, obtains and saves first key, wherein the equipment generates the first key, passes through First key described in Cloud Server public key encryption obtains the first ciphertext data, and according to the first ciphertext data and institute It states the equipment public key certificate generation key negotiation request message and is sent to the Cloud Server；

The second ciphertext data are back to the equipment, so that the equipment is receiving the second ciphertext data When, it is obtained using device private decryption the second ciphertext data and saves second key；

The session between the Cloud Server and the equipment is generated according to second key and the first key Key.

Preferably, after described the step of obtaining and saving first key, further includes:

Second key is encrypted according to preset algorithm and generates first key check value；

The second ciphertext data and the first key check value are back to the equipment, so that the equipment exists When receiving the second ciphertext data and the first key check value, it is close that described second is decrypted using the device private Literary data obtain second key, and are encrypted according to the preset algorithm to second key and generate the second key verification Value, when second keycheck value is consistent with the first key check value, then saves second key；

The session between the Cloud Server and the equipment is generated according to second key and the first key Key.

Preferably, described the step of encrypting generation first key check value to second key according to preset algorithm, wraps It includes:

Predetermined bite is encrypted according to second key and the first key, obtains encrypted result；

Using the preset byte of the encrypted result as the first key check value.

Preferably, described that the Cloud Server and the equipment are generated according to second key and the first key Between session key the step of after, further includes:

The Cloud Server utilizes the session key when receiving the key agreement confirmation message that the equipment returns It decrypts the key agreement confirmation message and obtains decrypted result；

When including preset field in the decrypted result, then key agreement confirmation message is sent to the equipment.

Preferably, described that the Cloud Server and the equipment are generated according to second key and the first key Between session key the step of include:

Second key is spliced with the first key, obtains splicing result；

Using the splicing result as the session key between the Cloud Server and the equipment.

To achieve the above object, the present invention also provides a kind of cryptographic key negotiation method, the cryptographic key negotiation method includes following Step:

Equipment generates key negotiation request message according to equipment public key certificate, and the key negotiation request message is sent To Cloud Server, so that the Cloud Server is after receiving the key negotiation request message that the equipment is sent, according to described Key negotiation request Receive message equipment public key certificate, using predetermined server public key to the signature in the equipment public key certificate As a result sign test is carried out, when sign test passes through, the extract equipment public key from the equipment public key certificate, and the Cloud Server is raw At the second key, and by second key using the second ciphertext data are obtained after the equipment public key encryption, by described second Ciphertext data are sent to the equipment, to carry out the key agreement between the Cloud Server and the equipment.

Preferably, second key is random number.

Preferably, after the described the step of key negotiation request message is sent to Cloud Server, further includes:

The equipment generates first key, obtains the first ciphertext number by first key described in Cloud Server public key encryption According to, and the key negotiation request message is generated according to the first ciphertext data and equipment public key certificate and is sent to the cloud Server, for key negotiation request Receive message the first ciphertext data that the Cloud Server is sent according to the equipment, and The first ciphertext data are decrypted by Cloud Server private key, obtains and saves first key；

The equipment decrypts the second ciphertext number when receiving the second ciphertext data, using the device private According to obtaining and save the second key, and according to second key and the first key generate the Cloud Server with it is described Session key between equipment, wherein it is close to generate described second when obtaining and saving the first key for the Cloud Server Key, and second key is encrypted using the equipment public key to obtain the second ciphertext data, by the second ciphertext number According to being back to the equipment.

Preferably, described to generate the key negotiation request report according to the first ciphertext data and equipment public key certificate Text was sent to after the step of Cloud Server, further includes:

The equipment utilizes the device private when receiving the second ciphertext data and first key check value It decrypts the second ciphertext data and obtains second key, and second is generated to second key encryption according to preset algorithm Keycheck value then saves second key when second keycheck value is consistent with the first key check value, And the session key between the Cloud Server and the equipment is generated according to second key and the first key, In, the Cloud Server generates the first key check value to second key encryption according to the preset algorithm, and will The second ciphertext data and the first key check value are back to the equipment.

Preferably, described the step of encrypting the second keycheck value of generation to second key according to preset algorithm, wraps It includes:

Predetermined bite is encrypted according to second key and the first key, obtains encrypted result；

Using the preset byte of the encrypted result as second keycheck value.

Preferably, described that the Cloud Server and the equipment are generated according to second key and the first key Between session key the step of after, further includes:

Session key described in the equipment utilization encrypts preset field, obtains key agreement confirmation message；

The key agreement confirmation message is sent to the Cloud Server, for the Cloud Server receive it is described When key agreement confirmation message, the key agreement confirmation message is decrypted using the session key and obtains decrypted result, and When in the decrypted result including the preset field, then key agreement confirmation message is sent to the equipment.

Preferably, described that the Cloud Server and the equipment are generated according to second key and the first key Between session key the step of include:

Second key is spliced with the first key, obtains splicing result；

Using the splicing result as the session key between the Cloud Server and the equipment.

To achieve the above object, the present invention also provides a kind of Cloud Server, the Cloud Server includes:

Memory, processor and it is stored in the key agreement journey that can be run on the memory and on the processor The step of sequence, the Key Agreement procedure realizes above-mentioned cryptographic key negotiation method when being executed by the processor.

To achieve the above object, the present invention also provides a kind of equipment, the equipment includes:

Memory, processor and it is stored in the key agreement journey that can be run on the memory and on the processor The step of sequence, the Key Agreement procedure realizes above-mentioned cryptographic key negotiation method when being executed by the processor.

To achieve the above object, the present invention also provides a kind of computer readable storage medium, the computer-readable storages Key Agreement procedure is stored on medium, the Key Agreement procedure realizes above-mentioned cryptographic key negotiation method when being executed by processor Step.

To achieve the above object, the present invention also provides a kind of key agreement systems, and the key agreement system includes above-mentioned Cloud Server and above equipment.

Cryptographic key negotiation method, Cloud Server, equipment, computer readable storage medium and key agreement provided by the invention System, Cloud Server obtain after the key negotiation request message for receiving equipment transmission according to the key negotiation request message Equipment public key certificate is taken, sign test is carried out to the signature result in equipment public key certificate using predetermined server public key, and in sign test By when, the extract equipment public key from equipment public key certificate, and Cloud Server generate the second key, and by the second key use It is sent to equipment after equipment public key encryption, to carry out the key agreement between Cloud Server and equipment.Invention increases certificates Randomness, thus increase packet capturing obtain authentication information difficulty, strengthen the safety of cipher key agreement process.

Detailed description of the invention

Fig. 1 is the hardware running environment schematic diagram for the terminal that the embodiment of the present invention is related to；

Fig. 2 is the flow diagram of cryptographic key negotiation method first embodiment of the present invention；

Fig. 3 is the flow diagram of cryptographic key negotiation method second embodiment of the present invention；

Fig. 4 is the flow diagram of cryptographic key negotiation method 3rd embodiment of the present invention；

Fig. 5 is the flow diagram of cryptographic key negotiation method fourth embodiment of the present invention；

Fig. 6 is the flow diagram of the 5th embodiment of cryptographic key negotiation method of the present invention；

Fig. 7 is the flow diagram of cryptographic key negotiation method sixth embodiment of the present invention；

Fig. 8 is the flow diagram of the 7th embodiment of cryptographic key negotiation method of the present invention；

Fig. 9 is the flow diagram of the 8th embodiment of cryptographic key negotiation method of the present invention；

Figure 10 is the flow diagram of the 9th embodiment of cryptographic key negotiation method of the present invention；

Figure 11 is the flow diagram of the tenth embodiment of cryptographic key negotiation method of the present invention；

Figure 12 is the flow diagram of the 11st embodiment of cryptographic key negotiation method of the present invention；

Figure 13 is the flow diagram of the 12nd embodiment of cryptographic key negotiation method of the present invention；

Figure 14 is the flow diagram of the 13rd embodiment of cryptographic key negotiation method of the present invention.

The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.

Specific embodiment

It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.

The present invention provides a kind of cryptographic key negotiation method, increases the randomness of certificate, so that increasing packet capturing obtains identity The difficulty of authentication information strengthens the safety of cipher key agreement process.

As shown in Figure 1, Fig. 1 is the hardware running environment schematic diagram for the terminal that the embodiment of the present invention is related to.

The terminal of that embodiment of the invention can be server, be also possible to equipment, such as air conditioner, air regulator, electric meal Pot, intelligent door lock etc..

As shown in Figure 1, the server may include: processor 1001, such as CPU, memory 1002, communication bus 1003.Wherein, communication bus 1003 is for realizing the connection communication between each building block in the server.Memory 1002 can To be high speed RAM memory, it is also possible to stable memory (non-volatile memory), such as magnetic disk storage.It deposits Reservoir 1002 optionally can also be the storage device independently of aforementioned processor 1001.

As shown in Figure 1, as may include Key Agreement procedure in a kind of memory 1002 of computer storage medium.

In server shown in Fig. 1, processor 1001 can be used for calling the key agreement stored in memory 1002 Program, and execute following operation:

Cloud Server is after the key negotiation request message for receiving equipment transmission, according to the key negotiation request message Obtain equipment public key certificate；

Sign test is carried out to the signature result in the equipment public key certificate using predetermined server public key, and is passed through in sign test When, the extract equipment public key from the equipment public key certificate；

The Cloud Server generates the second key, and by second key using obtaining the after the equipment public key encryption The second ciphertext data are sent to the equipment, to carry out between the Cloud Server and the equipment by two ciphertext data Key agreement.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Second key is random number.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Using the signature result in equipment public key certificate described in the predetermined server public key decryptions, third Hash is obtained Value, wherein the signature result is that the Cloud Server encrypts first cryptographic Hash using predetermined server private key It obtains；

When the third cryptographic Hash is consistent with first cryptographic Hash, to the presupposed information in the equipment public key certificate Carry out Hash operation, obtain the second cryptographic Hash, the presupposed information include certificate format, certificate serial number, hash algorithm mark, At least one of equipment public key algorithm mark and the equipment public key；

When second cryptographic Hash is consistent with the first cryptographic Hash in the equipment public key certificate, then determine that sign test is logical It crosses.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

The Cloud Server passes through Cloud Server private according to the first ciphertext of key negotiation request Receive message data Key decrypts the first ciphertext data, obtains and saves first key, wherein the equipment generates the first key, passes through First key described in Cloud Server public key encryption obtains the first ciphertext data, and according to the first ciphertext data and institute It states the equipment public key certificate generation key negotiation request message and is sent to the Cloud Server；

The second ciphertext data are back to the equipment, so that the equipment is receiving the second ciphertext data When, it is obtained using device private decryption the second ciphertext data and saves second key；

The session between the Cloud Server and the equipment is generated according to second key and the first key Key.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Second key is encrypted according to preset algorithm and generates first key check value；

The second ciphertext data and the first key check value are back to the equipment, so that the equipment exists When receiving the second ciphertext data and the first key check value, it is close that described second is decrypted using the device private Literary data obtain second key, and are encrypted according to the preset algorithm to second key and generate the second key verification Value, when second keycheck value is consistent with the first key check value, then saves second key；

The session between the Cloud Server and the equipment is generated according to second key and the first key Key.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Predetermined bite is encrypted according to second key and the first key, obtains encrypted result；

Using the preset byte of the encrypted result as the first key check value.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

The Cloud Server utilizes the session key when receiving the key agreement confirmation message that the equipment returns It decrypts the key agreement confirmation message and obtains decrypted result；

When including preset field in the decrypted result, then key agreement confirmation message is sent to the equipment.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Second key is spliced with the first key, obtains splicing result；

Using the splicing result as the session key between the Cloud Server and the equipment.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Equipment generates key negotiation request message according to equipment public key certificate, and the key negotiation request message is sent To Cloud Server, so that the Cloud Server is after receiving the key negotiation request message that the equipment is sent, according to described Key negotiation request Receive message equipment public key certificate, using predetermined server public key to the signature in the equipment public key certificate As a result sign test is carried out, when sign test passes through, the extract equipment public key from the equipment public key certificate, and the Cloud Server is raw At the second key, and by second key using the second ciphertext data are obtained after the equipment public key encryption, by described second Ciphertext data are sent to the equipment, to carry out the key agreement between the Cloud Server and the equipment.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Second key is random number.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

The equipment generates first key, obtains the first ciphertext number by first key described in Cloud Server public key encryption According to, and the key negotiation request message is generated according to the first ciphertext data and equipment public key certificate and is sent to the cloud Server, for key negotiation request Receive message the first ciphertext data that the Cloud Server is sent according to the equipment, and The first ciphertext data are decrypted by Cloud Server private key, obtains and saves first key；

The equipment decrypts the second ciphertext number when receiving the second ciphertext data, using the device private According to obtaining and save the second key, and according to second key and the first key generate the Cloud Server with it is described Session key between equipment, wherein it is close to generate described second when obtaining and saving the first key for the Cloud Server Key, and second key is encrypted using the equipment public key to obtain the second ciphertext data, by the second ciphertext number According to being back to the equipment.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

The equipment utilizes the device private when receiving the second ciphertext data and first key check value It decrypts the second ciphertext data and obtains second key, and second is generated to second key encryption according to preset algorithm Keycheck value then saves second key when second keycheck value is consistent with the first key check value, And the session key between the Cloud Server and the equipment is generated according to second key and the first key, In, the Cloud Server generates the first key check value to second key encryption according to the preset algorithm, and will The second ciphertext data and the first key check value are back to the equipment.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Predetermined bite is encrypted according to second key and the first key, obtains encrypted result；

Using the preset byte of the encrypted result as second keycheck value.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Session key described in the equipment utilization encrypts preset field, obtains key agreement confirmation message；

The key agreement confirmation message is sent to the Cloud Server, for the Cloud Server receive it is described When key agreement confirmation message, the key agreement confirmation message is decrypted using the session key and obtains decrypted result, and When in the decrypted result including the preset field, then key agreement confirmation message is sent to the equipment.

Further, processor 1001 can call the Key Agreement procedure stored in memory 1002, also execute following Operation:

Second key is spliced with the first key, obtains splicing result；

Using the splicing result as the session key between the Cloud Server and the equipment.

Referring to Fig. 2, in the first embodiment, the cryptographic key negotiation method includes:

Step S10, Cloud Server is after the key negotiation request message for receiving equipment transmission, according to the key agreement Request message obtains equipment public key certificate；

In the present embodiment, executing subject is Cloud Server.It is a variety of that equipment can be air conditioner, washing machine, intelligent door lock etc. Smart machine can be communicated by Cloud Server with the APP in mobile terminal, i.e., user can be sent by APP and be referred to It enables, to control smart machine.Before Cloud Server and equipment carry out safe transmission, need to carry out key agreement.

Equipment generates key negotiation request message according to equipment public key certificate, and key negotiation request message is sent to cloud Server, wherein equipment public key certificate can be obtained by decrypting predetermined server, and predetermined server can be License clothes Business device, this kind of mode increase the randomness of certificate.

Step S11, using predetermined server public key to the signature result progress sign test in the equipment public key certificate, and When sign test passes through, the extract equipment public key from the equipment public key certificate；

It specifically, include root public key index, equipment public key certificate etc. in key negotiation request message.Cloud Server is to equipment Signature result in public key certificate carries out sign test, when sign test passes through, by root public key index come in extract equipment public key certificate Public key.

Sign test process may is that Cloud Server using the signature knot in predetermined server public key decryptions equipment public key certificate Fruit obtains third cryptographic Hash, wherein the signature result is that Cloud Server carries out the first cryptographic Hash using predetermined server private key Encryption obtains.When third cryptographic Hash is consistent with the first cryptographic Hash, Hash fortune is carried out to the presupposed information in equipment public key certificate Calculation obtains the second cryptographic Hash, and presupposed information includes certificate format, certificate serial number, hash algorithm mark, equipment public key algorithm mark Knowledge and equipment public key, and when the second cryptographic Hash is consistent with the first cryptographic Hash in equipment public key certificate, then determine that sign test is logical It crosses.

Step S12, the described Cloud Server generates the second key, and second key is used the equipment public key encryption After obtain the second ciphertext data, the second ciphertext data are sent to the equipment, with carry out the Cloud Server with it is described Key agreement between equipment.

In the present embodiment, key negotiation request Receive message first key that Cloud Server is sent according to equipment, wherein One key is equipment generation, and equipment obtains the first ciphertext data by Cloud Server public key encryption first key, and according to first Ciphertext data generate key negotiation request message and are sent to Cloud Server.Then, Cloud Server generates the second key, and utilizes and set Standby public key encrypts the second key to obtain the second ciphertext data, and the second ciphertext data are back to equipment, for equipment The second ciphertext data are decrypted using device private to obtain the second key.In this way, respectively to possess first with equipment close for Cloud Server Key and the second key, and according to the session key between the second key and first key generation server and equipment.

It should be noted that the second key can be random number.The key negotiation request that Cloud Server is sent according to equipment The first random number of Receive message, wherein the first random number is equipment generation, and equipment is random by Cloud Server public key encryption first Number obtains the first ciphertext data, and generates key negotiation request message according to the first ciphertext data and be sent to Cloud Server.Then, Cloud Server generates the second random number, and is encrypted to obtain the second ciphertext data to the second random number using equipment public key, and Second ciphertext data are back to equipment, so that equipment utilization device private decrypts the second ciphertext data to obtain second at random Number.In this way, Cloud Server and equipment respectively possess the first random number and the second random number, and according to the first random number and the Session key between two generating random number Cloud Servers and equipment.

In the first embodiment, Cloud Server is after the key negotiation request message for receiving equipment transmission, according to described Key negotiation request Receive message equipment public key certificate, using predetermined server public key to the signature result in equipment public key certificate Sign test is carried out, and when sign test passes through, the extract equipment public key from equipment public key certificate, and Cloud Server generation second is close Key, and by the second key using equipment is sent to after equipment public key encryption, to carry out the association of the key between Cloud Server and equipment Quotient.In this way, increasing the randomness of certificate, to increase the difficulty that packet capturing obtains authentication information, key association is strengthened The safety of quotient's process.

In a second embodiment, described to utilize preset service as shown in figure 3, on the basis of above-mentioned embodiment shown in Fig. 2 Device public key in the equipment public key certificate signature result carry out sign test the step of include:

Step S111, it using the signature result in equipment public key certificate described in the predetermined server public key decryptions, obtains Third cryptographic Hash, wherein the signature result is that the Cloud Server utilizes predetermined server private key to first cryptographic Hash It is encrypted to obtain；

Step S112, judge whether the third cryptographic Hash and first cryptographic Hash are consistent；

Step S113, when the third cryptographic Hash is consistent with first cryptographic Hash, in the equipment public key certificate Presupposed information carry out Hash operation, obtain the second cryptographic Hash, the presupposed information includes certificate format, certificate serial number, Kazakhstan At least one of uncommon algorithm mark, equipment public key algorithm mark and described equipment public key；

Step S114, judge whether second cryptographic Hash and the first cryptographic Hash in the equipment public key certificate are consistent；

Step S115, when second cryptographic Hash is consistent with the first cryptographic Hash in the equipment public key certificate, then sentence Determine sign test to pass through.

In the present embodiment, before extract equipment public key in equipment public key certificate, Cloud Server is to equipment public key certificate It is verified.It specifically, include certificate format, certificate serial number, hash algorithm mark, the calculation of equipment public key in equipment public key certificate Method mark, equipment public key, signature result and the first cryptographic Hash, wherein signature result is that predetermined server utilizes preset service Device private key signs to the first cryptographic Hash, and the first cryptographic Hash is that predetermined server carries out Hash operation to presupposed information It obtains, presupposed information includes certificate format, certificate serial number, hash algorithm mark, equipment public key algorithm mark and equipment Public key.

Cloud Server obtains third Hash using the signature result in predetermined server public key decryptions equipment public key certificate Value, when third cryptographic Hash is consistent with the first cryptographic Hash, Cloud Server carries out Hash operation to the presupposed information in device certificate The second cryptographic Hash is obtained, when the second cryptographic Hash is consistent with the first cryptographic Hash, then determines that certificate is legal, then mentions from device certificate Take equipment public key.

In a second embodiment, sign test is carried out to the signature result in equipment public key certificate using predetermined server public key, This way it is ensured that the legitimacy of certificate.

In the third embodiment, described as shown in figure 4, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 3 The step of progress key agreement, includes: between Cloud Server and the equipment

Step S121, the described Cloud Server passes through according to the first ciphertext of key negotiation request Receive message data Cloud Server private key decrypts the first ciphertext data, obtains and saves first key, wherein the equipment generates described first Key obtains the first ciphertext data by first key described in Cloud Server public key encryption, and according to first ciphertext Data and the equipment public key certificate generate the key negotiation request message and are sent to the Cloud Server；

Step S122, the second ciphertext data are back to the equipment, so that the equipment is receiving described When two ciphertext data, is obtained using device private decryption the second ciphertext data and save second key；

Step S123, according to second key and the first key generate the Cloud Server and the equipment it Between session key.

In the present embodiment, Cloud Server and equipment carry out key agreement.Firstly, the key that Cloud Server is sent according to equipment Message of negotiation request obtains first key, wherein first key is equipment generation, and equipment passes through Cloud Server public key encryption first Key obtains the first ciphertext data, and generates key negotiation request message according to the first ciphertext data and be sent to Cloud Server.So Afterwards, Cloud Server generates the second key, and is encrypted to obtain the second ciphertext data to the second key using equipment public key, and will Second ciphertext data are back to equipment, so that equipment utilization device private decrypts the second ciphertext data to obtain the second key.This Sample, Cloud Server and equipment respectively possess first key and the second key, and are generated according to the second key and first key Session key between server and equipment.

Preferably, the step of session key being generated according to the second key and first key may is that by the second key with First key is spliced, using splicing result as session key.Certainly, session is generated according to the second key and first key Key can also have other way, such as equipment generating device public key and a device private, Cloud Server generating device private key with And equipment public key, equipment receives the Cloud Server public key that Cloud Server is sent, and passes through preset algorithm to cloud using device private The first session key is calculated in server public key, and similarly, the equipment public key that Cloud Server receiving device is sent uses cloud service The second session key is calculated to equipment public key by preset algorithm in device private key, and the first session key and the second session is close Key is as the session key between Cloud Server and equipment.It should be noted that preset algorithm can be ECDH algorithm, ECC is calculated Method, RSA Algorithm, ECDSA algorithm etc., the present invention is not specifically limited.

It should be noted that first key and the second key are also possible to random number.Firstly, Cloud Server is according to equipment The first random number of key negotiation request Receive message of transmission, wherein the first random number is equipment generation, and equipment passes through cloud service The first random number of device public key encryption obtains the first ciphertext data, and generates key negotiation request message hair according to the first ciphertext data It send to Cloud Server.Then, Cloud Server generates the second random number, and encrypt to the second random number using equipment public key It is back to equipment to the second ciphertext data, and by the second ciphertext data, so that equipment utilization device private decrypts the second ciphertext number The second random number is obtained accordingly.In this way, Cloud Server and equipment respectively possess the first random number and the second random number, and according to Session key between first random number and the second generating random number Cloud Server and equipment.Preferably, random according to first The step of number and session key between the second generating random number Cloud Server and equipment, may is that the first random number and the Two random numbers are spliced, using splicing result as session key.

In the third embodiment, after Cloud Server obtains first key, the second key is generated, and add to the second key It is close to obtain the second ciphertext data, the second ciphertext data are back to equipment, so that equipment obtains the second key, and it is close according to second Key and first key generate the session key between Cloud Server and equipment.In this way, realizing between Cloud Server and equipment Key agreement.

In the fourth embodiment, as shown in figure 5, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 4,

After described the step of obtaining and saving first key, further includes:

Step S124, second key is encrypted according to preset algorithm and generates first key check value；

Step S125, the second ciphertext data and the first key check value are back to the equipment, for The equipment is decrypted when receiving the second ciphertext data and the first key check value using the device private The second ciphertext data obtain second key, and generate second to second key encryption according to the preset algorithm Keycheck value then saves second key when second keycheck value is consistent with the first key check value；

Step S126, according to second key and the first key generate the Cloud Server and the equipment it Between session key.

In the present embodiment, Cloud Server and equipment carry out key agreement.Firstly, the key that Cloud Server is sent according to equipment Message of negotiation request obtains first key, wherein first key is equipment generation, and equipment passes through Cloud Server public key encryption first Key obtains the first ciphertext data, and generates key negotiation request message according to the first ciphertext data and be sent to Cloud Server.So Afterwards, Cloud Server generates the second key, carries out encryption life according to splicing result of the preset algorithm to the second key and first key At first key check value, also, Cloud Server encrypts the second key using equipment public key to obtain the second ciphertext data. Second ciphertext data and first key check value are back to equipment by Cloud Server, for equipment utilization device private decryption the Two ciphertext data encrypt to obtain to obtain the second key according to splicing result of the preset algorithm to the second key and first key Second keycheck value saves the second key when the second keycheck value is consistent with first key check value, in this way, cloud takes Business device and equipment respectively possess first key and the second key, and generate Cloud Server according to the second key and first key Session key between equipment.Preferably, the step of generating session key according to the second key and first key may is that Second key is spliced with first key, using splicing result as session key.Certainly, according to the second key and first Key, which generates session key, can also other way, such as equipment generating device public key and device private, and Cloud Server is raw Forming apparatus private key and equipment public key, equipment receives the Cloud Server public key that Cloud Server is sent, and is passed through using device private The first session key is calculated to Cloud Server public key in preset algorithm, and similarly, the equipment that Cloud Server receiving device is sent is public The second session key is calculated to equipment public key by preset algorithm using Cloud Server private key, by the first session key in key And second session key as the session key between Cloud Server and equipment.It should be noted that preset algorithm can be ECDH algorithm, ECC algorithm, RSA Algorithm, ECDSA algorithm etc., the present invention is not specifically limited.

It should be noted that first key check value and the second keycheck value are for verifying session key.With first For keycheck value, encryption is carried out according to splicing result of the preset algorithm to the second key and first key and generates first key The step of check value, which may is that, encrypts predetermined bite according to the splicing result of the second key and first key, is added It is close as a result, and using the preset byte of encrypted result as first key check value.It should be noted that session key can also benefit It is otherwise verified, the present invention is not specifically limited.For example, Cloud Server according to SHA256 algorithm to the second key with The splicing result of first key carries out operation and obtains the first summary info, and equipment is according to SHA256 algorithm to the second key and first The splicing result of key carries out operation and obtains the second summary info, when the second summary info is consistent with the first summary info, then Equipment saves the second key, and the session key between Cloud Server and equipment is generated according to the second key and first key.

It should be noted that first key and the second key are also possible to random number.Firstly, Cloud Server is sent out according to equipment The first random number of key negotiation request Receive message sent, wherein the first random number is equipment generation, and equipment passes through Cloud Server The first random number of public key encryption obtains the first ciphertext data, and generates key negotiation request message according to the first ciphertext data and send To Cloud Server.Then, Cloud Server generates the second random number, according to preset algorithm to the second random number and the first random number Splicing result carries out encryption and generates first key check value, also, Cloud Server carries out the second random number using equipment public key Encryption obtains the second ciphertext data.Second ciphertext data and first key check value are back to equipment by Cloud Server, for Equipment utilization device private decrypts the second ciphertext data to obtain the second random number, and according to preset algorithm to the second random number with The splicing result of first random number encrypts to obtain the second keycheck value, in the second keycheck value and first key check value one When cause, the second random number is saved, in this way, Cloud Server and equipment respectively possess the first random number and the second random number, and root According to the session key between the second random number and the first generating random number Cloud Server and equipment.Preferably, according to second with The step of machine number and the first generating random number session key, which may is that, splices the second random number and the first random number, Using splicing result as session key.Certainly, can also be had according to the second random number and the first generating random number session key Other way, the present invention is not specifically limited.By taking first key check value as an example, according to preset algorithm to the second random number and the The splicing result of one random number carry out encryption generate first key check value the step of may is that according to the second random number and first The splicing result of random number encrypts predetermined bite, obtains encrypted result, and using the preset byte of encrypted result as One keycheck value.

In the fourth embodiment, after Cloud Server obtains first key, the second key is generated, and add to the second key It is close to obtain the second ciphertext data, the second key is encrypted according to preset algorithm and generates first key check value, and by the second ciphertext Data and first key check value are sent to equipment, logical in verification so that equipment is verified by first key check value It is out-of-date, session key is generated according to the second key and first key.In this way, it is close to improve session between Cloud Server and equipment The safety of key.

In the 5th embodiment, described as shown in fig. 6, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 5 Encrypting the step of generating first key check value to second key according to preset algorithm includes:

Step S1251, predetermined bite is encrypted according to second key and the first key, is encrypted As a result；

Step S1252, using the preset byte of the encrypted result as the first key check value.

In the present embodiment, the first default check value is for verifying session key.According to preset algorithm to second key The step of encryption generation first key check value, which may is that, adds predetermined bite according to the second key and first key It is close, encrypted result is obtained, and using the preset byte of encrypted result as first key check value.

It should be noted that predetermined bite can be 16 bytes, preset byte can be first three byte.

In the 5th embodiment, predetermined bite is encrypted according to the second key and first key, obtains encryption knot Fruit, and using the preset byte of encrypted result as first key check value.In this way, improving session between Cloud Server and equipment The safety of key.

In the sixth embodiment, described as shown in fig. 7, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 6 The step of the session key between the Cloud Server and the equipment is generated according to second key and the first key After rapid, further includes:

Step S127, the described Cloud Server utilizes institute when receiving the key agreement confirmation message that the equipment returns It states the session key decryption key agreement confirmation message and obtains decrypted result；

Step S128, when in the decrypted result including preset field, then key agreement confirmation message is sent to described Equipment.

In the present embodiment, equipment utilizes device private when receiving the second ciphertext data and first key check value It decrypts the second ciphertext data and obtains the second key, and the second key is encrypted according to preset algorithm and generates the second keycheck value, When the second keycheck value is consistent with first key check value, then the second key is saved, and according to the second key and first Key generates the session key between Cloud Server and equipment.It should be noted that first key and the second key can be Random number.Equipment decrypts the second ciphertext when receiving the second ciphertext data and first key check value, using device private Data encrypt to obtain to obtain the second random number according to splicing result of the preset algorithm to the second random number and the first random number Second keycheck value saves the second random number, in this way, cloud when the second keycheck value is consistent with first key check value Server and equipment respectively possess the first random number and the second random number, and raw according to the second random number and the first random number At the session key between Cloud Server and equipment.

Equipment utilization session key preset field is encrypted or equipment utilization session key to preset field and with Machine number is encrypted, and obtains key agreement confirmation message, and key agreement confirmation message is sent to Cloud Server, for cloud clothes Device be engaged in when receiving key agreement confirmation message, negotiates confirmation message using session key decruption key and obtains decrypted result, When including preset field in decrypted result, then key agreement confirmation message is sent to equipment.Wherein, preset field can be Characters such as " OK ".When not including preset field in decrypted result, then error code is returned to equipment.

In the sixth embodiment, Cloud Server is when receiving the key agreement confirmation message of equipment return, decruption key Negotiate confirmation message obtain decrypted result, and in decrypted result include preset field when, then send key agreement confirmation message To equipment.In this way, realizing the key agreement between Cloud Server and equipment.

In the seventh embodiment, described as shown in figure 8, on the basis of the embodiment shown in above-mentioned Fig. 2 to any one of Fig. 7 The step of the session key between the Cloud Server and the equipment is generated according to second key and the first key Suddenly include:

Step S1261, second key is spliced with the first key, obtains splicing result；

Step S1262, using the splicing result as the session key between the Cloud Server and the equipment.

In the present embodiment, it may is that according to the step of the second key and first key generation session key by the second key Spliced with first key, using splicing result as session key.Certainly, meeting is generated according to the second key and first key Words key can also have other way, and the present invention is not specifically limited.Such as equipment generating device public key and device private, cloud Server generating device private key and equipment public key, equipment receives the Cloud Server public key that Cloud Server is sent, and uses equipment The first session key is calculated to Cloud Server public key by preset algorithm in private key, and similarly, Cloud Server receiving device is sent Equipment public key, the second session key is calculated to equipment public key by preset algorithm using Cloud Server private key, by first Session key and the second session key are as the session key between Cloud Server and equipment.It should be noted that pre- imputation Method can be ECDH algorithm, ECC algorithm, RSA Algorithm, ECDSA algorithm etc., and the present invention is not specifically limited.

It should be noted that first key and the second key are also possible to random number.I.e. by the second random number with first with Machine number is spliced, using splicing result as session key.Certainly, according to the second random number and the first generating random number session Key can also have other way, and the present invention is not specifically limited.

In the seventh embodiment, the second key is spliced with first key, and using splicing result as Cloud Server Session key between equipment, in this way, having ensured the secure communication between Cloud Server and equipment.

The present invention also provides a kind of cryptographic key negotiation methods, referring to Fig. 9, in the eighth embodiment, the cryptographic key negotiation method The following steps are included:

Step S20, equipment generates key negotiation request message according to equipment public key certificate, and by the key negotiation request Message is sent to Cloud Server, so that the Cloud Server is after receiving the key negotiation request message that the equipment is sent, According to the key negotiation request Receive message equipment public key certificate, using predetermined server public key to the equipment public key certificate In signature result carry out sign test, when sign test passes through, the extract equipment public key from the equipment public key certificate, and the cloud Server generates the second key, and by second key using the second ciphertext data are obtained after the equipment public key encryption, will The second ciphertext data are sent to the equipment, to carry out the key agreement between the Cloud Server and the equipment.

In the present embodiment, executing subject is equipment.Wherein, it is a variety of to can be air conditioner, washing machine, intelligent door lock etc. for equipment Smart machine can be communicated by Cloud Server with the APP in mobile terminal, i.e., user can be sent by APP and be referred to It enables, to control smart machine.Before Cloud Server and equipment carry out safe transmission, need to carry out key agreement.

Equipment generates key negotiation request message according to equipment public key certificate, and key negotiation request message is sent to cloud Server, wherein equipment public key certificate can be obtained by decrypting predetermined server, and predetermined server can be License clothes Business device, this kind of mode increase the randomness of certificate.

It specifically, include root public key index, equipment public key certificate etc. in key negotiation request message.Cloud Server is to equipment Signature result in public key certificate carries out sign test, when sign test passes through, by root public key index come in extract equipment public key certificate Public key.

Sign test process may is that Cloud Server using the signature knot in predetermined server public key decryptions equipment public key certificate Fruit obtains third cryptographic Hash, wherein the signature result is that Cloud Server carries out the first cryptographic Hash using predetermined server private key Encryption obtains.When third cryptographic Hash is consistent with the first cryptographic Hash, Hash fortune is carried out to the presupposed information in equipment public key certificate Calculation obtains the second cryptographic Hash, and presupposed information includes certificate format, certificate serial number, hash algorithm mark, equipment public key algorithm mark Knowledge and equipment public key, and when the second cryptographic Hash is consistent with the first cryptographic Hash in equipment public key certificate, then determine that sign test is logical It crosses.

In the present embodiment, key negotiation request Receive message first key that Cloud Server is sent according to equipment, wherein One key is equipment generation, and equipment obtains the first ciphertext data by Cloud Server public key encryption first key, and according to first Ciphertext data generate key negotiation request message and are sent to Cloud Server.Then, Cloud Server generates the second key, and utilizes and set Standby public key encrypts the second key to obtain the second ciphertext data, and the second ciphertext data are back to equipment, for equipment The second ciphertext data are decrypted using device private to obtain the second key.In this way, respectively to possess first with equipment close for Cloud Server Key and the second key, and according to the session key between the second key and first key generation server and equipment.

It should be noted that the second key can be random number.The key negotiation request that Cloud Server is sent according to equipment The first random number of Receive message, wherein the first random number is equipment generation, and equipment is random by Cloud Server public key encryption first Number obtains the first ciphertext data, and generates key negotiation request message according to the first ciphertext data and be sent to Cloud Server.Then, Cloud Server generates the second random number, and is encrypted to obtain the second ciphertext data to the second random number using equipment public key, and Second ciphertext data are back to equipment, so that equipment utilization device private decrypts the second ciphertext data to obtain second at random Number.In this way, Cloud Server and equipment respectively possess the first random number and the second random number, and according to the first random number and the Session key between two generating random number Cloud Servers and equipment.

In the eighth embodiment, Cloud Server is after the key negotiation request message for receiving equipment transmission, according to described Key negotiation request Receive message equipment public key certificate, using predetermined server public key to the signature result in equipment public key certificate Sign test is carried out, and when sign test passes through, the extract equipment public key from equipment public key certificate, and Cloud Server generation second is close Key, and by the second key using equipment is sent to after equipment public key encryption, to carry out the association of the key between Cloud Server and equipment Quotient.In this way, increasing the randomness of certificate, to increase the difficulty that packet capturing obtains authentication information, key association is strengthened The safety of quotient's process.

It is as shown in Figure 10, described by the key on the basis of above-mentioned embodiment shown in Fig. 9 in the 9th embodiment Message of negotiation request was sent to after the step of Cloud Server, further includes:

Step S21, the described equipment generates first key, obtains first by first key described in Cloud Server public key encryption Ciphertext data, and the key negotiation request message is generated according to the first ciphertext data and equipment public key certificate and is sent to The Cloud Server, key negotiation request Receive message the first ciphertext number sent for the Cloud Server according to the equipment According to, and the first ciphertext data are decrypted by Cloud Server private key, it obtains and saves first key；

Step S22, the described equipment decrypts described the when receiving the second ciphertext data, using the device private Two ciphertext data obtain and save the second key, and generate the cloud service according to second key and the first key Session key between device and the equipment, wherein the Cloud Server generates institute when obtaining and saving the first key The second key is stated, and second key is encrypted using the equipment public key to obtain the second ciphertext data, by described Two ciphertext data are back to the equipment.

In the present embodiment, Cloud Server and equipment carry out key agreement.Firstly, the key that Cloud Server is sent according to equipment Message of negotiation request obtains first key, wherein first key is equipment generation, and equipment passes through Cloud Server public key encryption first Key obtains the first ciphertext data, and generates key negotiation request message according to the first ciphertext data and be sent to Cloud Server.So Afterwards, Cloud Server generates the second key, and is encrypted to obtain the second ciphertext data to the second key using equipment public key, and will Second ciphertext data are back to equipment, so that equipment utilization device private decrypts the second ciphertext data to obtain the second key.This Sample, Cloud Server and equipment respectively possess first key and the second key, and are generated according to the second key and first key Session key between server and equipment.

Preferably, the step of session key being generated according to the second key and first key may is that by the second key with First key is spliced, using splicing result as session key.Certainly, session is generated according to the second key and first key Key can also have other way, such as equipment generating device public key and a device private, Cloud Server generating device private key with And equipment public key, equipment receives the Cloud Server public key that Cloud Server is sent, and passes through preset algorithm to cloud using device private The first session key is calculated in server public key, and similarly, the equipment public key that Cloud Server receiving device is sent uses cloud service The second session key is calculated to equipment public key by preset algorithm in device private key, and the first session key and the second session is close Key is as the session key between Cloud Server and equipment.It should be noted that preset algorithm can be ECDH algorithm, ECC is calculated Method, RSA Algorithm, ECDSA algorithm etc., the present invention is not specifically limited.

It should be noted that first key and the second key are also possible to random number.Firstly, Cloud Server is according to equipment The first random number of key negotiation request Receive message of transmission, wherein the first random number is equipment generation, and equipment passes through cloud service The first random number of device public key encryption obtains the first ciphertext data, and generates key negotiation request message hair according to the first ciphertext data It send to Cloud Server.Then, Cloud Server generates the second random number, and encrypt to the second random number using equipment public key It is back to equipment to the second ciphertext data, and by the second ciphertext data, so that equipment utilization device private decrypts the second ciphertext number The second random number is obtained accordingly.In this way, Cloud Server and equipment respectively possess the first random number and the second random number, and according to Session key between first random number and the second generating random number Cloud Server and equipment.Preferably, random according to first The step of number and session key between the second generating random number Cloud Server and equipment, may is that the first random number and the Two random numbers are spliced, using splicing result as session key.

In the 9th embodiment, after Cloud Server obtains first key, the second key is generated, and add to the second key It is close to obtain the second ciphertext data, the second ciphertext data are back to equipment, so that equipment obtains the second key, and it is close according to second Key and first key generate the session key between Cloud Server and equipment.In this way, realizing between Cloud Server and equipment Key agreement.

In the tenth embodiment, as shown in figure 11, on the basis of the embodiment shown in above-mentioned Fig. 9 to any one of Figure 10, institute It states and the cloud clothes is sent to according to the first ciphertext data and the equipment public key certificate generation key negotiation request message After the step of business device, further includes:

Step S23, the described equipment is when receiving the second ciphertext data and first key check value, using described Device private decrypts the second ciphertext data and obtains second key, and is encrypted according to preset algorithm to second key The second keycheck value is generated, when second keycheck value is consistent with the first key check value, then described in preservation Second key, and generate according to second key and the first key meeting between the Cloud Server and the equipment Talk about key, wherein the Cloud Server generates the first key school to second key encryption according to the preset algorithm Value is tested, and the second ciphertext data and the first key check value are back to the equipment.

In the present embodiment, Cloud Server and equipment carry out key agreement.Firstly, the key that Cloud Server is sent according to equipment Message of negotiation request obtains first key, wherein first key is equipment generation, and equipment passes through Cloud Server public key encryption first Key obtains the first ciphertext data, and generates key negotiation request message according to the first ciphertext data and be sent to Cloud Server.So Afterwards, Cloud Server generates the second key, carries out encryption life according to splicing result of the preset algorithm to the second key and first key At first key check value, also, Cloud Server encrypts the second key using equipment public key to obtain the second ciphertext data. Second ciphertext data and first key check value are back to equipment by Cloud Server, for equipment utilization device private decryption the Two ciphertext data encrypt to obtain to obtain the second key according to splicing result of the preset algorithm to the second key and first key Second keycheck value saves the second key when the second keycheck value is consistent with first key check value, in this way, cloud takes Business device and equipment respectively possess first key and the second key, and generate Cloud Server according to the second key and first key Session key between equipment.Preferably, the step of generating session key according to the second key and first key may is that Second key is spliced with first key, using splicing result as session key.Certainly, according to the second key and first Key, which generates session key, can also other way, such as equipment generating device public key and device private, and Cloud Server is raw Forming apparatus private key and equipment public key, equipment receives the Cloud Server public key that Cloud Server is sent, and is passed through using device private The first session key is calculated to Cloud Server public key in preset algorithm, and similarly, the equipment that Cloud Server receiving device is sent is public The second session key is calculated to equipment public key by preset algorithm using Cloud Server private key, by the first session key in key And second session key as the session key between Cloud Server and equipment.It should be noted that preset algorithm can be ECDH algorithm, ECC algorithm, RSA Algorithm, ECDSA algorithm etc., the present invention is not specifically limited.

It should be noted that first key check value and the second keycheck value are for verifying session key.With first For keycheck value, encryption is carried out according to splicing result of the preset algorithm to the second key and first key and generates first key The step of check value, which may is that, encrypts predetermined bite according to the splicing result of the second key and first key, is added It is close as a result, and using the preset byte of encrypted result as first key check value.It should be noted that session key can also benefit It is otherwise verified, the present invention is not specifically limited.For example, Cloud Server according to SHA256 algorithm to the second key with The splicing result of first key carries out operation and obtains the first summary info, and equipment is according to SHA256 algorithm to the second key and first The splicing result of key carries out operation and obtains the second summary info, when the second summary info is consistent with the first summary info, then Equipment saves the second key, and the session key between Cloud Server and equipment is generated according to the second key and first key.

It should be noted that first key and the second key are also possible to random number.Firstly, Cloud Server is sent out according to equipment The first random number of key negotiation request Receive message sent, wherein the first random number is equipment generation, and equipment passes through Cloud Server The first random number of public key encryption obtains the first ciphertext data, and generates key negotiation request message according to the first ciphertext data and send To Cloud Server.Then, Cloud Server generates the second random number, according to preset algorithm to the second random number and the first random number Splicing result carries out encryption and generates first key check value, also, Cloud Server carries out the second random number using equipment public key Encryption obtains the second ciphertext data.Second ciphertext data and first key check value are back to equipment by Cloud Server, for Equipment utilization device private decrypts the second ciphertext data to obtain the second random number, and according to preset algorithm to the second random number with The splicing result of first random number encrypts to obtain the second keycheck value, in the second keycheck value and first key check value one When cause, the second random number is saved, in this way, Cloud Server and equipment respectively possess the first random number and the second random number, and root According to the session key between the second random number and the first generating random number Cloud Server and equipment.Preferably, according to second with The step of machine number and the first generating random number session key, which may is that, splices the second random number and the first random number, Using splicing result as session key.Certainly, can also be had according to the second random number and the first generating random number session key Other way, the present invention is not specifically limited.By taking first key check value as an example, according to preset algorithm to the second random number and the The splicing result of one random number carry out encryption generate first key check value the step of may is that according to the second random number and first The splicing result of random number encrypts predetermined bite, obtains encrypted result, and using the preset byte of encrypted result as One keycheck value.

In the tenth embodiment, after Cloud Server obtains first key, the second key is generated, and add to the second key It is close to obtain the second ciphertext data, the second key is encrypted according to preset algorithm and generates first key check value, and by the second ciphertext Data and first key check value are sent to equipment, logical in verification so that equipment is verified by first key check value It is out-of-date, session key is generated according to the second key and first key.In this way, it is close to improve session between Cloud Server and equipment The safety of key.

In the 11st embodiment, referring to Fig.1 2, on the basis of the embodiment shown in above-mentioned Fig. 9 to any one of Figure 11, institute Stating the step of encrypting the second keycheck value of generation to second key according to preset algorithm includes:

Step S231, predetermined bite is encrypted according to second key and the first key, is encrypted As a result；

Step S232, using the preset byte of the encrypted result as second keycheck value.

In the present embodiment, the second default check value is for verifying session key.According to preset algorithm to second key The step of encryption generation first key check value, which may is that, adds predetermined bite according to the second key and first key It is close, encrypted result is obtained, and using the preset byte of encrypted result as the second keycheck value.

It should be noted that predetermined bite can be 16 bytes, preset byte can be first three byte.

In the 11st embodiment, predetermined bite is encrypted according to the second key and first key, is encrypted As a result, and using the preset byte of encrypted result as first key check value.This way it is ensured that Cloud Server and device keys are assisted The safety of quotient.

In the 12nd embodiment, as shown in figure 13, on the basis of the embodiment shown in above-mentioned Fig. 9 to any one of Figure 12, The session key generated according to second key and the first key between the Cloud Server and the equipment The step of after, further includes:

Step S24, session key described in the described equipment utilization encrypts preset field, obtains key agreement confirmation letter Breath；

Step S25, the key agreement confirmation message is sent to the Cloud Server, so that the Cloud Server is connecing When receiving the key agreement confirmation message, the key agreement confirmation message is decrypted using the session key and obtains decryption knot Fruit, and in the decrypted result include the preset field when, then send key agreement confirmation message to the equipment.

In the present embodiment, equipment utilizes device private when receiving the second ciphertext data and first key check value It decrypts the second ciphertext data and obtains the second key, and the second key is encrypted according to preset algorithm and generates the second keycheck value, When the second keycheck value is consistent with first key check value, then the second key is saved, and according to the second key and first Key generates the session key between Cloud Server and equipment.It should be noted that first key and the second key can be Random number.Equipment decrypts the second ciphertext when receiving the second ciphertext data and first key check value, using device private Data encrypt to obtain to obtain the second random number according to splicing result of the preset algorithm to the second random number and the first random number Second keycheck value saves the second random number, in this way, cloud when the second keycheck value is consistent with first key check value Server and equipment respectively possess the first random number and the second random number, and raw according to the second random number and the first random number At the session key between Cloud Server and equipment.

Equipment utilization session key preset field is encrypted or equipment utilization session key to preset field and with Machine number is encrypted, and obtains key agreement confirmation message, and key agreement confirmation message is sent to Cloud Server, for cloud clothes Device be engaged in when receiving key agreement confirmation message, negotiates confirmation message using session key decruption key and obtains decrypted result, When including preset field in decrypted result, then key agreement confirmation message is sent to equipment.Wherein, preset field can be Characters such as " OK ".When not including preset field in decrypted result, then error code is returned to equipment.

In the 12nd embodiment, Cloud Server is decrypted close when receiving the key agreement confirmation message of equipment return Key negotiate confirmation message obtain decrypted result, and in decrypted result include preset field when, then send key agreement confirmation report Text is to equipment.In this way, realizing the key agreement between Cloud Server and equipment.

In the 13rd embodiment, as shown in figure 14, on the basis of the embodiment shown in above-mentioned Fig. 9 to any one of Figure 13, The session key generated according to second key and the first key between the Cloud Server and the equipment The step of include:

Step S221, second key is spliced with the first key, obtains splicing result；

Step S222, using the splicing result as the session key between the Cloud Server and the equipment.

In the present embodiment, it may is that according to the step of the second key and first key generation session key by the second key Spliced with first key, using splicing result as session key.Certainly, meeting is generated according to the second key and first key Words key can also have other way, and the present invention is not specifically limited.Such as equipment generating device public key and device private, cloud Server generating device private key and equipment public key, equipment receives the Cloud Server public key that Cloud Server is sent, and uses equipment The first session key is calculated to Cloud Server public key by preset algorithm in private key, and similarly, Cloud Server receiving device is sent Equipment public key, the second session key is calculated to equipment public key by preset algorithm using Cloud Server private key, by first Session key and the second session key are as the session key between Cloud Server and equipment.It should be noted that pre- imputation Method can be ECDH algorithm, ECC algorithm, RSA Algorithm, ECDSA algorithm etc., and the present invention is not specifically limited.

It should be noted that first key and the second key are also possible to random number.I.e. by the second random number with first with Machine number is spliced, using splicing result as session key.Certainly, according to the second random number and the first generating random number session Key can also have other way, and the present invention is not specifically limited.

In the 13rd embodiment, the second key is spliced with first key, and using splicing result as cloud service Session key between device and equipment, in this way, having ensured the secure communication between Cloud Server and equipment.

In addition, the present invention also proposes that a kind of Cloud Server, the Cloud Server include memory, processor and be stored in On reservoir and the Key Agreement procedure that can run on a processor, it is executing subject that the processor, which executes above-mentioned Cloud Server such as, Under the cryptographic key negotiation method the step of.

In addition, the present invention also proposes that a kind of equipment, the equipment include memory, processor and stores on a memory simultaneously The Key Agreement procedure that can be run on a processor, it is the key under executing subject that the processor, which executes above equipment such as, The step of machinery of consultation.

In addition, the present invention also proposes that a kind of computer readable storage medium, the computer readable storage medium include close Key negotiation procedure, the Key Agreement procedure realize cryptographic key negotiation method as described above in Example when being executed by processor Step.

In addition, the present invention also proposes a kind of key agreement system, the present invention also proposes a kind of key agreement system, described close Key negotiating system includes above-mentioned Cloud Server and above equipment.

The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.

Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in one as described above In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that a terminal device (can be TV Machine, mobile phone, computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.

The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (19)

1. a kind of cryptographic key negotiation method, which is characterized in that the cryptographic key negotiation method the following steps are included:

Cloud Server is after the key negotiation request message for receiving equipment transmission, according to the key negotiation request Receive message Equipment public key certificate；

Sign test is carried out to the signature result in the equipment public key certificate using predetermined server public key, and when sign test passes through, The extract equipment public key from the equipment public key certificate；

The Cloud Server generates the second key, and second key is close using obtaining second after the equipment public key encryption The second ciphertext data are sent to the equipment by literary data, close between the Cloud Server and the equipment to carry out Key is negotiated.

2. cryptographic key negotiation method as described in claim 1, which is characterized in that second key is random number.

3. cryptographic key negotiation method as claimed in claim 2, which is characterized in that described to be set using predetermined server public key to described The step of signature result in standby public key certificate carries out sign test include:

Using the signature result in equipment public key certificate described in the predetermined server public key decryptions, third cryptographic Hash is obtained, In, the signature result is that the Cloud Server is encrypted to obtain using predetermined server private key to first cryptographic Hash；

When the third cryptographic Hash is consistent with first cryptographic Hash, the presupposed information in the equipment public key certificate is carried out Hash operation, obtains the second cryptographic Hash, and the presupposed information includes certificate format, certificate serial number, hash algorithm mark, equipment At least one of public key algorithm mark and the equipment public key；

When second cryptographic Hash is consistent with the first cryptographic Hash in the equipment public key certificate, then determine that sign test passes through.

4. cryptographic key negotiation method as claimed in claim 2, which is characterized in that carried out between the Cloud Server and the equipment The step of key agreement includes:

The Cloud Server passes through Cloud Server private key solution according to the first ciphertext of key negotiation request Receive message data The close first ciphertext data, obtain and save first key, wherein the equipment generates the first key, is taken by cloud First key described in business device public key encryption obtains the first ciphertext data, and according to the first ciphertext data and described sets Standby public key certificate generates the key negotiation request message and is sent to the Cloud Server；

The second ciphertext data are back to the equipment, so that the equipment is when receiving the second ciphertext data, It is obtained using device private decryption the second ciphertext data and saves second key；

The session key between the Cloud Server and the equipment is generated according to second key and the first key.

5. cryptographic key negotiation method as claimed in claim 4, which is characterized in that described the step of obtaining and saving first key it Afterwards, further includes:

Second key is encrypted according to preset algorithm and generates first key check value；

The second ciphertext data and the first key check value are back to the equipment, so that the equipment is receiving When to the second ciphertext data and the first key check value, the device private is utilized to decrypt the second ciphertext number According to obtaining second key, and second key is encrypted according to the preset algorithm and generates the second keycheck value, When second keycheck value is consistent with the first key check value, then second key is saved；

The session key between the Cloud Server and the equipment is generated according to second key and the first key.

It is described that the is generated to second key encryption according to preset algorithm 6. cryptographic key negotiation method as claimed in claim 5 The step of one keycheck value includes:

Predetermined bite is encrypted according to second key and the first key, obtains encrypted result；

Using the preset byte of the encrypted result as the first key check value.

7. cryptographic key negotiation method as claimed in claim 5, which is characterized in that described according to second key and described One key generated after the step of session key between the Cloud Server and the equipment, further includes:

The Cloud Server is decrypted when receiving the key agreement confirmation message that the equipment returns using the session key The key agreement confirmation message obtains decrypted result；

When including preset field in the decrypted result, then key agreement confirmation message is sent to the equipment.

8. cryptographic key negotiation method as claimed in claim 5, which is characterized in that described according to second key and described One key generates the step of session key between the Cloud Server and the equipment and includes:

Second key is spliced with the first key, obtains splicing result；

Using the splicing result as the session key between the Cloud Server and the equipment.

9. a kind of cryptographic key negotiation method, which is characterized in that the cryptographic key negotiation method the following steps are included:

Equipment generates key negotiation request message according to equipment public key certificate, and the key negotiation request message is sent to cloud Server, so that the Cloud Server is after receiving the key negotiation request message that the equipment is sent, according to the key Message of negotiation request obtains equipment public key certificate, using predetermined server public key to the signature result in the equipment public key certificate Sign test is carried out, when sign test passes through, the extract equipment public key from the equipment public key certificate, and the Cloud Server generates the Two keys, and by second key using the second ciphertext data are obtained after the equipment public key encryption, by second ciphertext Data are sent to the equipment, to carry out the key agreement between the Cloud Server and the equipment.

10. cryptographic key negotiation method as claimed in claim 9, which is characterized in that second key is random number.

11. cryptographic key negotiation method as claimed in claim 10, which is characterized in that described to send out the key negotiation request message After the step of sending to Cloud Server, further includes:

The equipment generates first key, obtains the first ciphertext data by first key described in Cloud Server public key encryption, and The key negotiation request message, which is generated, according to the first ciphertext data and equipment public key certificate is sent to the cloud service Device for key negotiation request Receive message the first ciphertext data that the Cloud Server is sent according to the equipment, and passes through Cloud Server private key decrypts the first ciphertext data, obtains and saves first key；

The equipment is decrypted the second ciphertext data using the device private and is obtained when receiving the second ciphertext data To and save the second key, and the Cloud Server and the equipment are generated according to second key and the first key Between session key, wherein the Cloud Server generates second key when obtaining and saving the first key, And second key is encrypted using the equipment public key to obtain the second ciphertext data, the second ciphertext data are returned It is back to the equipment.

12. cryptographic key negotiation method as claimed in claim 11, which is characterized in that it is described according to the first ciphertext data and Equipment public key certificate generated after the step of key negotiation request message is sent to the Cloud Server, further includes:

The equipment is decrypted when receiving the second ciphertext data and first key check value using the device private The second ciphertext data obtain second key, and are encrypted according to preset algorithm to second key and generate the second key Check value then saves second key, and root when second keycheck value is consistent with the first key check value The session key between the Cloud Server and the equipment is generated according to second key and the first key, wherein The Cloud Server generates the first key check value to second key encryption according to the preset algorithm, and will be described Second ciphertext data and the first key check value are back to the equipment.

13. cryptographic key negotiation method as claimed in claim 12, which is characterized in that described close to described second according to preset algorithm Key encryption generate the second keycheck value the step of include:

Predetermined bite is encrypted according to second key and the first key, obtains encrypted result；

Using the preset byte of the encrypted result as second keycheck value.

14. cryptographic key negotiation method as claimed in claim 11, which is characterized in that described according to second key and described First key generated after the step of session key between the Cloud Server and the equipment, further includes:

Session key described in the equipment utilization encrypts preset field, obtains key agreement confirmation message；

The key agreement confirmation message is sent to the Cloud Server, so that the Cloud Server is receiving the key When negotiating confirmation message, the key agreement confirmation message is decrypted using the session key and obtains decrypted result, and described When in decrypted result including the preset field, then key agreement confirmation message is sent to the equipment.

15. cryptographic key negotiation method as claimed in claim 11, which is characterized in that described according to second key and described First key generates the step of session key between the Cloud Server and the equipment and includes:

Second key is spliced with the first key, obtains splicing result；

Using the splicing result as the session key between the Cloud Server and the equipment.

16. a kind of Cloud Server, which is characterized in that the Cloud Server includes memory, processor and is stored in the storage It is real when the Key Agreement procedure is executed by the processor on device and the Key Agreement procedure that can run on the processor Now such as the step of cryptographic key negotiation method described in any item of the claim 1 to 8.

17. a kind of equipment, which is characterized in that the equipment includes memory, processor and is stored on the memory and can The Key Agreement procedure run on the processor realizes such as right when the Key Agreement procedure is executed by the processor It is required that the step of cryptographic key negotiation method described in any one of 9 to 15.

18. a kind of computer readable storage medium, which is characterized in that be stored with key association on the computer readable storage medium Quotient's program, the Key Agreement procedure are executed by processor the key agreement realized as described in any one of claims 1 to 15 The step of method.

19. a kind of key agreement system, which is characterized in that the key agreement system includes cloud as described in claim 16 Server and equipment as described in claim 17.