CN109150510B - Method and equipment for obtaining symmetric key - Google Patents

Method and equipment for obtaining symmetric key Download PDF

Info

Publication number
CN109150510B
CN109150510B CN201810930698.5A CN201810930698A CN109150510B CN 109150510 B CN109150510 B CN 109150510B CN 201810930698 A CN201810930698 A CN 201810930698A CN 109150510 B CN109150510 B CN 109150510B
Authority
CN
China
Prior art keywords
data
key
module
mac
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810930698.5A
Other languages
Chinese (zh)
Other versions
CN109150510A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN201810930698.5A priority Critical patent/CN109150510B/en
Publication of CN109150510A publication Critical patent/CN109150510A/en
Application granted granted Critical
Publication of CN109150510B publication Critical patent/CN109150510B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key

Abstract

The invention discloses a method and a device for obtaining a symmetric key, which relate to the field of communication security; the method comprises the steps that equipment receives and analyzes a key transmission instruction sent by an upper computer to obtain a key block header field, a key block data field and a key block MAC value; obtaining a first key and a second key according to the protection key, the first preset data, the second preset data, the ninth preset data and the tenth preset data; obtaining an encryption key and an MAC key according to the protection key, the first key, the third preset data to the fifth preset data and the sixth preset data to the eighth preset data; obtaining first plaintext data according to the encryption key, the key block data field and the key block MAC value; obtaining a second MAC value according to the MAC key, the first plaintext data, the key block header field and the second key; and when the second MAC value is the same as the key block MAC value, obtaining and storing the symmetric key from the first plaintext data, and returning a key transmission success response to the upper computer.

Description

Method and equipment for obtaining symmetric key
Technical Field
The present invention relates to the field of communications security, and in particular, to a method and an apparatus for obtaining a symmetric key.
Background
When transaction information is transmitted between two devices supporting a symmetric key system, sensitive data such as a symmetric key is needed to encrypt and verify the integrity of the data of the transaction information, but the sensitive data such as the symmetric key is needed to be stored in the devices so as to encrypt and verify the transaction information. In the prior art, a common method is to use a special device to inject sensitive data such as a symmetric key into the device in a plaintext or simple encryption manner; if a user wants to update or upgrade the symmetric key of the device, the device must be returned to the factory (the manufacturer updates or upgrades the symmetric key), and the process is very complicated; in addition, the user can update or upgrade the symmetric key of the device by using a non-dedicated device, but sensitive data such as the symmetric key is very easy to steal at the moment, and the security is low.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a method and equipment for obtaining a symmetric key.
The technical scheme adopted by the invention is as follows:
the embodiment provides a method for acquiring a symmetric key, which comprises the following steps:
step S1: the method comprises the steps that equipment receives a key transmission instruction sent by an upper computer, and analyzes the key transmission instruction to obtain key block data;
step S2: the device acquires a preset protection key; obtaining a first secret key according to the protection secret key, the first preset data and the second preset data;
step S3: the equipment obtains an encryption key according to the protection key, the first key, the third preset data, the fourth preset data and the fifth preset data; obtaining an MAC key according to the protection key, the first key, sixth preset data, seventh preset data and eighth preset data;
step S4: the device obtains first plaintext data according to the encryption key, the key block data field and the key block MAC value; obtaining a second MAC value according to the MAC key, the first plaintext data, the key block header field and a second key;
step S5: when the second MAC value is the same as the key block MAC value, obtaining and storing a symmetric key from the first plaintext data, and returning a key transmission success response to the upper computer;
between the step S1 and the step S4, the method further includes:
the device analyzes the key block data to obtain a key block header field, a key block data field and a key block MAC value;
before obtaining a second MAC value according to the MAC key, the first plaintext data, the key block header field, and the second key, and after the device obtains a preset protection key, the method further includes:
the equipment calculates according to the protection key, ninth preset data and tenth preset data to obtain a second key;
the embodiment further provides a device for acquiring a symmetric key, which includes a receiving module, a first parsing module, a second parsing module, a first acquiring module, a first obtaining module, a second obtaining module, a third obtaining module, a fourth obtaining module, a fifth obtaining module, a sixth obtaining module, a second acquiring module, a storage module, and a sending module;
the receiving module is used for receiving a key transmission instruction sent by the upper computer;
the first analysis module is configured to analyze the key transmission instruction received by the receiving module to obtain key block data;
the second analysis module is used for analyzing the key block data obtained by the analysis of the first analysis module to obtain a key block header field, a key block data field and a key block MAC value;
the first obtaining module is used for obtaining a preset protection key;
the first obtaining module is configured to obtain a first key according to the protection key, the first preset data, and the second preset data obtained by the first obtaining module;
the second obtaining module is configured to calculate according to the protection key, the ninth preset data, and the tenth preset data obtained by the first obtaining module to obtain a second key;
the third obtaining module is configured to obtain an encryption key according to the protection key obtained by the first obtaining module, the first key, third preset data, fourth preset data, and fifth preset data obtained by the first obtaining module;
the fourth obtaining module is configured to obtain an MAC key according to the protection key obtained by the first obtaining module, the first key obtained by the first obtaining module, sixth preset data, seventh preset data, and eighth preset data;
the fifth obtaining module is configured to obtain first plaintext data according to the encryption key obtained by the third obtaining module, the key block data field obtained through analysis by the second analyzing module, and the key block MAC value obtained through analysis by the second analyzing module;
the sixth obtaining module is configured to obtain a second MAC value according to the MAC key obtained by the fourth obtaining module, the first plaintext data obtained by the fifth obtaining module, the key block header field obtained by the analysis of the second analyzing module, and the second key obtained by the second obtaining module;
the second obtaining module is configured to obtain a symmetric key from the first plaintext data obtained by the fifth obtaining module when the second MAC value obtained by the sixth obtaining module is the same as the MAC value of the key block obtained by the second parsing module;
the storage module is configured to store the symmetric key obtained by the second obtaining module;
and the sending module is used for returning a key transmission success response to the upper computer.
The invention has the beneficial effects that: the user can directly and safely update or upgrade the symmetric secret without returning the equipment to the factory, when the equipment receives the key transmission instruction sent by the upper computer, the equipment analyzes the key transmission instruction to obtain key block data, decrypts the key block data to obtain sensitive data such as the symmetric key, and the like, so that the sensitive data such as the symmetric key and the like can be conveniently and quickly updated or upgraded, and the safety of the process of transmitting the sensitive data such as the symmetric key and the like is enhanced.
Drawings
Fig. 1 is a flowchart of a method for obtaining a symmetric key according to a second embodiment;
fig. 2 is a block diagram of an apparatus for obtaining a symmetric key according to a third embodiment.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
The embodiment provides a method for obtaining a symmetric key, which includes the following steps:
step 101: the device receives a key transmission instruction sent by an upper computer, and analyzes the key transmission instruction to obtain key block data;
step 102: the device acquires a preset protection key; obtaining a first secret key according to the protection secret key, the first preset data and the second preset data;
optionally, in step 102, obtaining the first key according to the protection key, the first preset data, and the second preset data specifically includes:
the device calculates first preset data according to the protection key to obtain first data, and obtains a first key according to the first data and second preset data;
further, the device calculates the first preset data according to the protection key to obtain first data, and obtains the first key according to the first data and the second preset data, specifically:
the device calculates first preset data by using a first algorithm according to the protection key to obtain first data, judges whether the first data needs to be updated or not, updates the first data according to second preset data if the first data needs to be updated, and records the updated first data as the first key; otherwise, the first data is recorded as the first key.
Step 103: the equipment obtains an encryption key according to the protection key, the first key, the third preset data, the fourth preset data and the fifth preset data; obtaining an MAC key according to the protection key, the first key, the sixth preset data, the seventh preset data and the eighth preset data;
optionally, in step 103, an encryption key is obtained according to the protection key, the first key, the third preset data, the fourth preset data, and the fifth preset data, and the specific steps are as follows:
the device uses the protection key and the first key to respectively calculate third preset data, fourth preset data and fifth preset data to respectively obtain a first part of encrypted data, a second part of encrypted data and a third part of encrypted data, and an encryption key is formed according to the first part of encrypted data, the second part of encrypted data and the third part of encrypted data;
further, the device calculates third preset data, fourth preset data and fifth preset data respectively by using the protection key and the first key to obtain a first part of encrypted data, a second part of encrypted data and a third part of encrypted data respectively, and forms an encryption key according to the first part of encrypted data, the second part of encrypted data and the third part of encrypted data, specifically:
the device obtains first intermediate data according to the first secret key and the third preset data, and obtains first part encrypted data according to the protection secret key and the first intermediate data; obtaining second intermediate data according to the first secret key and fourth preset data, and obtaining second part of encrypted data according to the protection secret key and the second intermediate data; obtaining third intermediate data according to the first secret key and fifth preset data, and obtaining third part of encrypted data according to the protection secret key and the third intermediate data; an encryption key is composed based on the first, second, and third portions of encrypted data.
Optionally, in step 103, obtaining the MAC key according to the protection key, the first key, the sixth preset data, the seventh preset data, and the eighth preset data, specifically:
the equipment respectively calculates sixth preset data, seventh preset data and eighth preset data by using a protection key and a first key to respectively obtain a first part of MAC data, a second part of MAC data and a third part of MAC data, and the MAC key is formed according to the first part of MAC data, the second part of MAC data and the third part of MAC data;
further, the device calculates sixth preset data, seventh preset data, and eighth preset data respectively by using the protection key and the first key to obtain a first part of MAC data, a second part of MAC data, and a third part of MAC data, and forms a MAC key according to the first part of MAC data, the second part of MAC data, and the third part of MAC data, specifically:
the equipment obtains fourth intermediate data according to the first secret key and sixth preset data, and obtains a first part of MAC data according to the protection secret key and the fourth intermediate data; obtaining fifth intermediate data according to the first key and seventh preset data, and obtaining second part of MAC data according to the protection key and the fifth intermediate data; obtaining sixth intermediate data according to the first secret key and eighth preset data, and obtaining a third part of MAC data according to the protection secret key and the sixth intermediate data; and forming the MAC key according to the first part of MAC data, the second part of MAC data and the third part of MAC data.
Step 104: the device obtains first plaintext data according to the encryption key, the key block data field and the key block MAC value; obtaining a second MAC value according to the MAC key, the first plaintext data, the key block header field and the second key;
optionally, in step 104, the device obtains first plaintext data according to the encryption key, the key block data field, and the key block MAC value, specifically:
the device equally divides the key block data domain into four parts; calculating four parts of a key block data domain by using an encryption key, calculating a first calculation result, a second calculation result, a third calculation result and a fourth calculation result which are obtained by calculation and a key block MAC value respectively, and obtaining first plaintext data according to second plaintext data to fifth plaintext data which are obtained by calculation;
further, the device equally divides the key block data field into four parts; using an encryption key to calculate four parts of a key block data field respectively, calculating a first calculation result, a second calculation result, a third calculation result and a fourth calculation result obtained by calculation respectively with a key block MAC value, and obtaining first plaintext data according to second plaintext data to fifth plaintext data obtained by calculation, specifically:
the device equally divides the key block data domain into first key data, second key data, third key data and fourth key data; calculating first key data by using a first algorithm according to the encryption key to obtain a first calculation result, and calculating the first calculation result and the key block MAC value by using a second algorithm to obtain second plaintext data; calculating second key data by using a first algorithm according to the encryption key to obtain a second calculation result, and calculating the second calculation result and the key block MAC value by using a second algorithm to obtain third plaintext data; calculating third key data by using a first algorithm according to the encryption key to obtain a third calculation result, and calculating the third calculation result and the MAC value of the key block by using a second algorithm to obtain fourth plaintext data; calculating fourth key data by using a first algorithm according to the encryption key to obtain a fourth calculation result, and calculating the fourth calculation result and the key block MAC value by using a second algorithm to obtain fifth plaintext data; and calculating the second plaintext data to the fifth plaintext data by using a third algorithm to obtain the first plaintext data.
Optionally, in step 104, a second MAC value is obtained according to the MAC key, the first plaintext data, the key block header field, and the second key, specifically:
the device calculates the first plaintext data and the key block header field to obtain first regrouping data; equally dividing the first recombination data into a sixth part from the second recombination data to the seventh recombination data; calculating the second recombination data by using the MAC key to obtain first encryption data; calculating the third grouped data and the first encrypted data by using the MAC key to obtain second encrypted data; calculating the fourth repeated data and the second encrypted data by using the MAC key to obtain third encrypted data; calculating the fifth repeated data and the third encrypted data by using the MAC key to obtain fourth encrypted data; calculating the sixth repeated data and the fourth encrypted data by using the MAC key to obtain fifth encrypted data; and calculating the seventh repeated data, the fifth encrypted data and the second key by using the MAC key to obtain a second MAC value.
Step 105: when the second MAC value is the same as the key block MAC value, obtaining and storing a symmetric key from the first plaintext data, and returning a key transmission success response to the upper computer;
optionally, in step 105, the method further includes: and the equipment judges whether the second MAC value is the same as the MAC value of the key block, if so, the symmetric key is obtained from the first plaintext data and stored, a key transmission success response is returned to the upper computer, and if not, an error code is returned to the upper computer.
Between step 101 and step 104, further comprising:
the device analyzes the key block data to obtain a key block header field, a key block data field and a key block MAC value;
before obtaining a second MAC value according to the MAC key, the first plaintext data, the key block header field, and the second key, and after the device obtains a preset protection key, the method further includes:
the device calculates according to the protection key, the ninth preset data and the tenth preset data to obtain a second key;
optionally, the device calculates according to the protection key, the ninth preset data, and the tenth preset data to obtain a second key, specifically:
the device calculates the ninth preset data according to the protection key to obtain second data, and obtains a second key according to the second data and the tenth preset data;
further, the device calculates ninth preset data according to the protection key to obtain second data, and obtains a second key according to the second data and tenth preset data, specifically:
the device calculates ninth preset data by using a first algorithm according to the protection key to obtain second data, judges whether the second data needs to be updated, updates the second data according to tenth preset data if the second data needs to be updated, and records the updated second data as a second key; otherwise, the second data is recorded as a second key.
The embodiment provides a method for obtaining a symmetric key, a user can directly and safely update or upgrade a symmetric secret without returning equipment to a factory, when the equipment receives a key transmission instruction sent by an upper computer, the equipment analyzes the key transmission instruction to obtain key block data, the key block data is decrypted to obtain sensitive data such as the symmetric key, the sensitive data such as the symmetric key can be conveniently and quickly updated or upgraded, and the security of the process of transmitting the sensitive data such as the symmetric key is enhanced.
Example two
The second embodiment provides a method for obtaining a symmetric key, which can be directly performed in a public network environment without using a dedicated device; the method is shown in fig. 2 and comprises the following steps:
step 201: the device receives a key transmission instruction sent by an upper computer, and analyzes the key transmission instruction to obtain key block data;
for example, the key block data is 423030433050305445303045303030303643383542463234373833333939384432303946433743413739314531464141353433394337353030393739464131324639433639373345393736393543463230413731374232323131373738384437;
step 202: the equipment judges whether the total length of the received key block data is legal or not according to the preset length, if so, step 203 is executed, and if not, an error code is returned to the upper computer;
specifically, the device determines whether the total length of the received key block data is equal to a preset length, if so, the total length of the key block data is legal, step 203 is executed, otherwise, an error code is returned;
for example, the preset length is 96 bytes;
step 203: the device analyzes the key block data to obtain a key block header field, a key block data field and a key block MAC value;
specifically, the device parses the key block data, acquires the first 16 bytes of data as a key block header field, acquires the middle 64 bytes of data as a key block data field, and acquires the last 16 bytes of data as a key block MAC value;
for example, the key block header field is 42303043305030544530304530303030;
the key block data field is 36433835424632343738333339393844323039464337434137393145314641413534333943373530303937394641313246394336393733453937363935434632;
the key block MAC value is 30413731374232323131373738384437;
further, the step also includes converting the key block data domain and the key block MAC value into HEX format, the converted key block data domain having a length of 32 bytes and the key block MAC value having a length of 8 bytes;
for example, the key block data field after conversion into HEX format is 0x6C85BF247833998D209FC7CA791E1FAA 5439C7500979FA12F9C6973E97695CF 2;
the key block MAC value is 0x0a717B22117788D 7;
step 204: the device judges whether each component field of the key block header field is legal, if so, step 205 is executed, otherwise, an error code is returned to the upper computer;
specifically, the key block header field contains fields for identifying information such as the use, algorithm, version, etc. of the transmitted symmetric key; for example, a key block length field, a key usage field, a key algorithm field, a key usage method field, a key version number field, a key output capability field, a key block optional block number field, and a key block reservation field;
preferably, the composition fields of the key block header field include a key block version ID (1 st byte), a key block length field (2 nd to 5 th bytes), a key usage field (6 th and 7 th bytes), a key algorithm field (8 th byte), a key usage method field (9 th byte), a key version number field (10 th and 11 th bytes), a key output capability field (12 th byte), a key block optional block number field (13 th and 14 th bytes), and a key block reservation field (15 th and 16 th bytes);
specifically, the determining, by the device, whether each component field of the key block header field is legal includes:
1) the device determines whether the key block version ID is 0x42, if so, the key block version ID is legal, otherwise, the key block version ID is illegal;
2) the device judges whether the length field of the key block is 0x30304330, if so, the length field of the key block is legal, otherwise, the length field of the key block is illegal;
3) the device judges whether the key usage field is 0x4430 or 0x4B30 or 0x4D31 or 0x5030, if yes, the key usage field is legal, otherwise, the key usage field is illegal; (wherein, the key usage is described as follows: 0x4430 represents for data encryption; 0x4B30 represents for encryption of the key for transfer; 0x4D31 represents for encryption using the ISO9797-1MAC algorithm; 0x5030 represents for PIN code encryption);
4) the equipment judges whether the key algorithm field is 0x41 or 0x54, if so, the key algorithm field is legal, otherwise, the key algorithm field is illegal; (wherein 0x41 denotes support of AES; 0x54 denotes support of 3 DES);
5) the equipment judges whether the key use method field is 0x42 or 0x43 or 0x45, if yes, the key use method field is legal, otherwise, the key use method field is illegal; (where 0x42 denotes for encryption or decryption, 0x43 denotes for computing MAC, 0x45 denotes only for encryption);
6) the equipment judges whether the key version number field is 0x3030, if so, the key version number field is legal, otherwise, the key version number field is illegal;
7) the equipment judges whether the key output capacity field is 0x45, if yes, the key output capacity field is legal, otherwise, the key output capacity field is illegal;
8) the equipment judges whether the optional block number field of the key block is 0x3030, if so, the optional block number field of the key block is legal, otherwise, the optional block number field of the key block is illegal;
9) the device judges whether the reserved field of the key block is the index value of the secondary key, if so, the reserved field of the key block is legal, otherwise, the reserved field of the key block is illegal; (it is illustrated that in this embodiment, the legal range of the index value is between 0-F);
alternatively, steps 202 to 204 may be located at any position before step 209;
step 205: the method comprises the steps that equipment obtains a preset protection secret key, first preset data are calculated according to the protection secret key to obtain first data, and the first secret key is obtained according to the first data and second preset data;
specifically, the device obtains a preset protection key, calculates first preset data by using a first algorithm according to the protection key to obtain first data, judges whether the first data needs to be updated, updates the first data according to second preset data if the first data needs to be updated, records the updated first data as the first key, and executes step 206; otherwise, the first data is recorded as the first key, and step 206 is executed;
more specifically, the device obtains a preset protection key, calculates first preset data by using a first algorithm according to the protection key to obtain first data, determines whether a value of a first preset bit of the first data is a first preset value, if so, notes the first data as the first key, and executes step 206; otherwise, the first data is shifted to the left by a second preset number of bits, the third preset value is used for filling the vacant bits in the shifted first data, the filled first data and the second preset data are calculated by using a second algorithm to obtain a first key, and the step 206 is executed;
for example, the financial device acquires a preset protection key; performing 3DSE operation on the first preset data according to the protection key to obtain first data; determining whether the highest byte of the first data is 0x00, if yes, recording the first data as the first key, and executing step 206; otherwise, shifting the first data by 1 bit to the left, filling the last bit of the shifted first data with 0, performing exclusive or on the filled first data and the second preset data to obtain a first key, and executing step 206; the highest byte of the first data is typically the first byte in left-to-right order;
for example, the protection key is 0xA8BF12C8CD1B3194C91C28A5E38D 712C;
the first preset data is 0x 0000000000000000;
the second preset data is 0x 0000000000000001B;
the first data is 0x3131114FC8DB13E 6;
the first key is 0x6262229F91B627D 7;
step 206: the device uses the protection key and the first key to respectively calculate third preset data, fourth preset data and fifth preset data to respectively obtain a first part of encrypted data, a second part of encrypted data and a third part of encrypted data, and an encryption key is formed according to the first part of encrypted data, the second part of encrypted data and the third part of encrypted data;
specifically, the device obtains first intermediate data according to a first secret key and third preset data, and obtains first part encrypted data according to a protection secret key and the first intermediate data; obtaining second intermediate data according to the first secret key and fourth preset data, and obtaining second part of encrypted data according to the protection secret key and the second intermediate data; obtaining third intermediate data according to the first secret key and fifth preset data, and obtaining third part of encrypted data according to the protection secret key and the third intermediate data; forming an encryption key according to the first part of encrypted data, the second part of encrypted data and the third part of encrypted data;
more specifically, the device calculates third preset data by using a second algorithm according to the first key to obtain first intermediate data, and calculates the first intermediate data by using the first algorithm according to the protection key to obtain first part of encrypted data; calculating fourth preset data by using a second algorithm according to the first key to obtain second intermediate data, and calculating the second intermediate data by using the first algorithm according to the protection key to obtain second part of encrypted data; calculating fifth preset data by using a second algorithm according to the first key to obtain third intermediate data, and calculating the third intermediate data by using the first algorithm according to the protection key to obtain third part of encrypted data; calculating the first part of encrypted data, the second part of encrypted data and the third part of encrypted data by using a third algorithm to obtain an encryption key;
for example, the device performs xor on the third preset data according to the first key to obtain first intermediate data, and performs 3DES operation on the first intermediate data according to the protection key to obtain first part of encrypted data; performing XOR on the fourth preset data according to the first key to obtain second intermediate data, and performing 3DES operation on the second intermediate data according to the protection key to obtain second part of encrypted data; performing XOR on fifth preset data according to the first key to obtain third intermediate data, and performing 3DES operation on the third intermediate data according to the protection key to obtain third part of encrypted data; sequentially splicing the first part of encrypted data, the second part of encrypted data and the third part of encrypted data to obtain a 24-byte encryption key;
for example, the third preset data is 0x 0100000000000080;
the fourth preset data is 0x 0200000000000080;
the fifth preset data is 0x 030000000080;
the first intermediate data is 0x6362229F91B 62757;
the second intermediate data is 0x6062229F91B 62757;
the third intermediate data is 0x6162229F91B 62757;
the first part of the encrypted data is 0xE4F5A9555F78DFA 1;
the second part of encrypted data is 0x83CF8CEA8079D 995;
the third part of the encrypted data is 0x3A2946A841FCEE 7E;
the encryption key is 0xE4F5A9555F78DFA 183 CF8CEA8079D 9953A 2946A841FCEE 7E;
step 207: the equipment respectively calculates sixth preset data, seventh preset data and eighth preset data by using a protection key and a first key to respectively obtain a first part of MAC data, a second part of MAC data and a third part of MAC data, and the MAC key is formed according to the first part of MAC data, the second part of MAC data and the third part of MAC data;
specifically, the device obtains fourth intermediate data according to the first key and sixth preset data, and obtains a first part of MAC data according to the protection key and the fourth intermediate data; obtaining fifth intermediate data according to the first key and seventh preset data, and obtaining second part of MAC data according to the protection key and the fifth intermediate data; obtaining sixth intermediate data according to the first secret key and eighth preset data, and obtaining a third part of MAC data according to the protection secret key and the sixth intermediate data; forming an MAC key according to the first part of MAC data, the second part of MAC data and the third part of MAC data;
more specifically, the device calculates sixth preset data by using a second algorithm according to the first key to obtain fourth intermediate data, and calculates the fourth intermediate data by using the first algorithm according to the protection key to obtain a first part of MAC data; calculating seventh preset data by using a second algorithm according to the first key to obtain fifth intermediate data, and calculating the fifth intermediate data by using the first algorithm according to the protection key to obtain second part of MAC data; calculating eighth preset data by using a second algorithm according to the first key to obtain sixth intermediate data, and calculating the sixth intermediate data by using the first algorithm according to the protection key to obtain a third part of MAC data; calculating the first part of MAC data, the second part of MAC data and the third part of MAC data by using a third algorithm to obtain an MAC key;
for example, the device performs xor on sixth preset data according to the first key to obtain fourth intermediate data, and performs 3DES operation on the fourth intermediate data according to the protection key to obtain a first part of MAC data; performing XOR on seventh preset data according to the first key to obtain fifth intermediate data, and performing 3DES operation on the fifth intermediate data according to the protection key to obtain second part of MAC data; performing XOR on the eighth preset data according to the first key to obtain sixth intermediate data, and performing 3DES operation on the sixth intermediate data according to the protection key to obtain a third part of MAC data; sequentially splicing the first part of MAC data, the second part of MAC data and the third part of MAC data to obtain a 24-byte MAC key;
for example, the sixth preset data is 0x 0100010000000080;
the seventh preset data is 0x 0200010000000080;
the eighth preset data is 0x 0300010000000080;
the fourth intermediate data is 0x6362239F91B 62757;
the fifth intermediate data is 0x6062239F91B 62757;
the sixth intermediate data is 0x6162239F91B 62757;
the first part of the MAC data is 0xC1EE1F1B6E15BB 4C;
the second part of the MAC data is 0x095233380CCB 4766;
the third part of MAC data is 0x1096BE7DE22D 4185;
the MAC key is 0xC1EE1F1B6E15BB4C095233380CCB47661096BE7DE22D 4185;
step 208: the device calculates the ninth preset data according to the protection key to obtain second data, and obtains a second key according to the second data and the tenth preset data;
specifically, the device calculates ninth preset data by using a first algorithm according to the protection key to obtain second data, determines whether the second data needs to be updated, if yes, updates the second data according to tenth preset data, records the updated second data as the second key, and performs step 209; otherwise, the second data is recorded as a second key, and step 209 is executed;
more specifically, the device calculates ninth preset data by using a first algorithm according to the protection key to obtain second data, determines whether a value of a second preset bit of the second data is a fourth preset value, if so, marks the second data as the second key, and performs step 209; otherwise, the second data is shifted to the left by a fifth preset number of bits, the sixth preset value is used for filling the vacant bits in the shifted second data, the filled second data and the tenth preset data are calculated by using a second algorithm to obtain a second key, and step 209 is executed;
for example, the financial device acquires a preset protection key; performing 3DSE operation on the ninth preset data according to the protection key to obtain second data; judging whether the highest byte of the second data is 0x00, if yes, recording the second data as a second key, and executing step 209; otherwise, the second data is shifted to the left by 1 bit, 0 is used to fill the last bit of the shifted second data, the filled second data and the tenth preset data are subjected to xor to obtain a second key, and step 209 is executed; the highest byte of the second data is typically the first byte in left-to-right order;
for example, the protection key is 0xC1EE1F1B6E15BB4C095233380CCB47661096BE7DE22D 4185;
the ninth preset data is 0x 0000000000000000;
the tenth preset data is 0x 0000000000000001B;
the second data is 0x17EEBB7FB49E8 AAF;
the second key is 0x2FDD76FF693D 1545;
alternatively, step 208 may be located anywhere after step 205 and before step 211;
step 209: the device obtains first plaintext data according to the encryption key, the key block data field and the key block MAC value;
specifically, the device equally divides the key block data domain into four parts; calculating four parts of a key block data domain by using an encryption key, calculating a first calculation result, a second calculation result, a third calculation result and a fourth calculation result which are obtained by calculation and a key block MAC value respectively, and obtaining first plaintext data according to second plaintext data to fifth plaintext data which are obtained by calculation;
more specifically, the device equally divides the key block data into first key data, second key data, third key data, and fourth key data; calculating first key data by using a first algorithm according to the encryption key to obtain a first calculation result, and calculating the first calculation result and the key block MAC value by using a second algorithm to obtain second plaintext data; calculating second key data by using a first algorithm according to the encryption key to obtain a second calculation result, and calculating the second calculation result and the key block MAC value by using a second algorithm to obtain third plaintext data; calculating third key data by using a first algorithm according to the encryption key to obtain a third calculation result, and calculating the third calculation result and the MAC value of the key block by using a second algorithm to obtain fourth plaintext data; calculating fourth key data by using a first algorithm according to the encryption key to obtain a fourth calculation result, and calculating the fourth calculation result and the key block MAC value by using a second algorithm to obtain fifth plaintext data; calculating second plaintext data to fifth plaintext data by using a third algorithm to obtain first plaintext data;
for example, the first 8 bytes of the device cryptographic key block data domain are first key data, 9-16 bytes are second key data, 17-24 bytes are third key data, and 25-32 bytes are fourth key data; performing 3DES operation on the first key data according to the encryption key to obtain a first calculation result, and performing XOR on the first calculation result and the MAC value of the key block to obtain second plaintext data; performing 3DES operation on the second key data according to the encryption key to obtain a second calculation result, and performing XOR on the second calculation result and the MAC value of the key block to obtain second plaintext data; performing 3DES operation on the third key data according to the encryption key to obtain a third calculation result, and performing XOR on the third calculation result and the MAC value of the key block to obtain fourth plaintext data; performing 3DES operation on the fourth key data according to the encryption key to obtain a fourth calculation result, and performing XOR on the fourth calculation result and the MAC value of the key block to obtain fifth plaintext data; sequentially splicing the second plaintext data to the fifth plaintext data to obtain first plaintext data;
for example, the key block data domain is 0x6C85BF247833998D209FC7CA791E1FAA 5439C7500979FA12F9C6973E97695CF 2;
the first key data is 0x6C85BF 247833998D;
the second key data is 0x209FC7CA791E1 FAA;
the third key data is 0x5439C7500979FA 12;
the fourth key data is 0xF9C6973E97695CF 2;
the second plaintext data is 0x00C0111213141516
The third plaintext data is 0x1718090A0B0C0D 0E;
the fourth plaintext data is 0x 1011202122232425;
the fifth plaintext data is 0x26274B0D3a 093802;
the first plaintext data is 0x00C01112131415161718090A0B0C0D0E101120212223242526274B0D3a 093802;
in this embodiment, the data format of the key block data field may specifically be: symmetric key length value (2 bytes) + decrypted data (30 bytes), wherein the decrypted data is composed in the format: symmetric key data (24 bytes) + padding data (6 bytes);
step 210: the device calculates the first plaintext data and the key block header field to obtain first regrouping data;
specifically, the financial device calculates a key block header field and first plaintext data according to a third algorithm to obtain first restructuring data;
more specifically, the financial device sequentially splices a 16-byte key block header field and 32-byte first plaintext data to obtain 48-byte first restructured data;
for example, the first reorganization data is 0x 4230304330503054453030453030303000C 01112131415161718090A0B0C0D0E101120212223242526274B0D3A093802
Step 211: the equipment calculates the first recombined data and the second key by using the MAC key to obtain a second MAC value;
specifically, the device equally divides the first reorganization data into six parts of second to seventh reorganization data; calculating the second recombination data by using the MAC key to obtain first encryption data; calculating the third grouped data and the first encrypted data by using the MAC key to obtain second encrypted data; calculating the fourth repeated data and the second encrypted data by using the MAC key to obtain third encrypted data; calculating the fifth repeated data and the third encrypted data by using the MAC key to obtain fourth encrypted data; calculating the sixth repeated data and the fourth encrypted data by using the MAC key to obtain fifth encrypted data; calculating the seventh repeated data, the fifth encrypted data and the second key by using the MAC key to obtain a second MAC value;
more specifically, the device equally divides the first reorganization data into sixth parts of second to seventh reorganization data; calculating the second recombination data by using the MAC key to obtain first encryption data; calculating the first encrypted data and the third grouped data, and calculating a calculation result by using the MAC key to obtain second encrypted data; calculating the second encrypted data and the fourth repeated data, and calculating a calculation result by using the MAC key to obtain third encrypted data; calculating the third encrypted data and the fifth recombined data, and calculating a calculation result by using the MAC key to obtain fourth encrypted data; calculating the fourth encrypted data and the sixth repeated data, and calculating a calculation result by using the MAC key to obtain fifth encrypted data; calculating fifth encrypted data, a second key and seventh repeated data, and calculating a calculation result by using the MAC key to obtain a second MAC value;
further, the device equally divides the first reorganized data into second to seventh reorganized data six parts; calculating the second recombination data according to a first algorithm by using the MAC key to obtain first encrypted data; calculating the first encrypted data and the third grouped data by using a second algorithm, and calculating a calculation result by using the MAC key according to the first algorithm to obtain second encrypted data; calculating the second encrypted data and the fourth repeated data by using a second algorithm, and calculating a calculation result by using the MAC key according to the first algorithm to obtain third encrypted data; calculating the third encrypted data and the fifth recombined data by using a second algorithm, and calculating a calculation result by using the MAC key according to the first algorithm to obtain fourth encrypted data; calculating fourth encrypted data and sixth repeated data by using a second algorithm, and calculating a calculation result by using an MAC key according to the first algorithm to obtain fifth encrypted data; calculating the seventh repeated data and the second key by using a second algorithm, calculating a calculation result and fifth encrypted data by using the second algorithm, and calculating the calculation result by using the MAC key according to the first algorithm to obtain a second MAC value;
for example, the device classifies the first 8 bytes of the first reassembly data as second reassembly data, 9 th-16 th bytes as third reassembly data, 17 th-24 th bytes as fourth reassembly data, 25 th-32 th bytes as fifth reassembly data, 33 th-40 th bytes as sixth reassembly data, and 41 th-48 th bytes as seventh reassembly data; performing 3DES operation on the second recombination data by using the MAC key to obtain first encryption data; performing exclusive OR on the first encrypted data and the third grouped data, and performing 3DES operation on an exclusive OR result by using an MAC key to obtain second encrypted data; performing exclusive OR on the second encrypted data and the fourth repeated data, and performing 3DES operation on an exclusive OR result by using an MAC key to obtain third encrypted data; performing exclusive OR on the third encrypted data and the fifth recombined data, and performing 3DES operation on an exclusive OR result by using an MAC key to obtain fourth encrypted data; performing exclusive OR on the fourth encrypted data and the sixth repeated data, and performing 3DES operation on an exclusive OR result by using an MAC key to obtain fifth encrypted data; performing exclusive OR operation on the seventh repeated data and the second key, performing a second exclusive OR operation according to an exclusive OR result and fifth encrypted data, and performing 3DES operation on the second exclusive OR result by using the MAC key to obtain a second MAC value;
for example, the second recombination data is 0x 4230304330503054;
the third tuple data is 0x 4530304530303030;
the fourth tuple data was 0x00C 0111213141516;
the fifth tuple data is 0x1718090A0B0C0D 0E;
sixth tuple data was 0x 1011202122232425;
the seventh recombinant data was 0x26274B0D3a 093802;
the first encrypted data is 0x77242933621CC 091;
the second encrypted data is 0xB7B56CF039FB 1145;
the third encrypted data is 0xD609503AA7631E 0A;
the fourth encrypted data is 0xA1EB8C2CAFDD6E 63;
the fifth cipher data is 0xB0A7739DE1FF43E 3;
the second MAC value is 0x0a717B22117788D 7;
step 212: the device judges whether the second MAC value is the same as the key block MAC value, if so, the device returns a key transmission success response to the upper computer, and executes the step 213, otherwise, the device returns an error code to the upper computer;
step 213: the device acquires and stores the symmetric key from the first plaintext data according to the length value of the symmetric key;
specifically, the device acquires the data of 3 rd to 26 th bytes from the first plaintext data as the symmetric key according to the length value of the symmetric key of 24 bytes;
optionally, step 213 is followed by: the equipment verifies the stored symmetric key, and when the verification is successful, the symmetric key is successfully obtained, otherwise, the symmetric key is failed to obtain;
specifically, the device acquires a stored symmetric key, and judges whether the stored symmetric key is the same as the symmetric key acquired from the first plaintext data, if so, the acquisition of the symmetric key is successful, otherwise, the acquisition of the symmetric key is failed;
for example, the symmetric key obtained from the first plaintext data is 0x1112131415161718090A0B0C0D0E 10112021222324252627;
the embodiment provides a method for obtaining a symmetric key, a user can directly and safely update or upgrade a symmetric secret without returning equipment to a factory, when the equipment receives a key transmission instruction sent by an upper computer, the equipment analyzes the key transmission instruction to obtain key block data, the key block data is decrypted to obtain sensitive data such as the symmetric key, the sensitive data such as the symmetric key can be conveniently and quickly updated or upgraded, and the security of the process of transmitting the sensitive data such as the symmetric key is enhanced.
EXAMPLE III
In the third embodiment, an apparatus for obtaining a symmetric key is provided, including a receiving module 301, a first parsing module 302, a second parsing module 303, a first obtaining module 304, a first obtaining module 305, a second obtaining module 306, a third obtaining module 307, a fourth obtaining module 308, a fifth obtaining module 309, a sixth obtaining module 310, a second obtaining module 311, a storage module 312, and a sending module 313;
the receiving module 301 is configured to receive a key transmission instruction sent by an upper computer;
a first parsing module 302, configured to parse the key transmission instruction received by the receiving module 301 to obtain key block data;
a second parsing module 303, configured to parse the obtained key block data by the first parsing module 302 to obtain a key block header field, a key block data field, and a key block MAC value;
a first obtaining module 304, configured to obtain a preset protection key;
a first obtaining module 305, configured to obtain a first key according to the protection key, the first preset data, and the second preset data obtained by the first obtaining module 304;
optionally, the first obtaining module 305 includes a first calculating sub-module and a first obtaining sub-module;
correspondingly, the first calculating sub-module is configured to calculate the first preset data according to the protection key acquired by the first acquiring module 304 to obtain first data;
correspondingly, the first obtaining submodule is used for obtaining a first key according to the first data and the second preset data which are obtained by the first calculating submodule through calculation;
further, the first obtaining submodule comprises a first judging unit, a first updating unit, a first recording unit and a second recording unit;
correspondingly, the first calculating submodule is specifically configured to calculate the first preset data by using a first algorithm according to the protection key acquired by the first acquiring module 304 to obtain first data;
correspondingly, the first judging unit is used for judging whether the first data calculated by the first calculating submodule needs to be updated or not;
correspondingly, the first updating unit is used for updating the first data obtained by the calculation of the first calculating submodule according to the second preset data when the first judging unit judges that;
correspondingly, the first recording unit is used for recording the first data updated by the first updating unit as a first key;
correspondingly, the second recording unit is used for recording the first data obtained by the calculation of the first calculation submodule as the first key when the first judgment unit judges that the first data is not the first key.
A second obtaining module 306, configured to calculate according to the protection key, the ninth preset data, and the tenth preset data obtained by the first obtaining module 304 to obtain a second key;
optionally, the second obtaining module 306 includes a twelfth calculating sub-module and a second obtaining sub-module;
correspondingly, the twelfth calculating submodule is configured to calculate the ninth preset data according to the protection key acquired by the first acquiring module 304 to obtain second data;
correspondingly, the second obtaining submodule is used for obtaining a second key according to the second data obtained by the calculation of the twelfth calculating submodule and the tenth preset data;
further, the second obtaining submodule includes a second judging unit, a second updating unit, a third recording unit and a fourth recording unit;
correspondingly, the twelfth calculating submodule is specifically configured to calculate the ninth preset data by using the first algorithm according to the protection key acquired by the first acquiring module 304 to obtain second data;
correspondingly, the second judging unit is used for judging whether the second data calculated by the twelfth calculating submodule needs to be updated or not;
correspondingly, the second updating unit is used for updating the second data obtained by the calculation of the twelfth calculating submodule according to the tenth preset data when the second judging unit judges that the;
correspondingly, the third recording unit is used for recording the second data updated by the second updating unit as the second key;
correspondingly, the fourth recording unit is configured to record the second data calculated by the twelfth calculating sub-module as the second key.
A third obtaining module 307, configured to obtain an encryption key according to the protection key obtained by the first obtaining module 304, the first key obtained by the first obtaining module 305, third preset data, fourth preset data, and fifth preset data;
optionally, the third obtaining module 307 includes a second calculating submodule, a third calculating submodule, a fourth calculating submodule and a first composition submodule;
correspondingly, the second calculating sub-module is configured to calculate the third preset number by using the protection key obtained by the first obtaining module 304 and the first key obtained by the first obtaining module 305 to obtain the first part of encrypted data;
correspondingly, the third computation submodule is configured to use the protection key obtained by the first obtaining module 304 and the first key obtained by the first obtaining module 305 to compute a fourth preset number to obtain second part of encrypted data;
correspondingly, the fourth calculating sub-module is configured to calculate a fifth preset number by using the protection key obtained by the first obtaining module 304 and the first key obtained by the first obtaining module 305 to obtain a third part of encrypted data;
correspondingly, the first composition submodule is used for forming an encryption key according to the first part of encrypted data obtained by the second calculation submodule, the second part of encrypted data obtained by the third calculation submodule and the third part of encrypted data obtained by the fourth calculation submodule;
further, the second calculation sub-module is specifically configured to obtain first intermediate data according to the first key and the third preset data obtained by the first obtaining module 305, and obtain a first part of encrypted data according to the protection key and the first intermediate data obtained by the first obtaining module 304;
correspondingly, the third computation submodule is specifically configured to obtain second intermediate data according to the first key and the fourth preset data obtained by the first obtaining module 305, and obtain second part of encrypted data according to the protection key and the second intermediate data obtained by the first obtaining module 304;
correspondingly, the fourth calculation sub-module is specifically configured to obtain third intermediate data according to the first key and the fifth preset data obtained by the first obtaining module 305, and obtain a third part of encrypted data according to the protection key and the third intermediate data obtained by the first obtaining module 304.
A fourth obtaining module 308, configured to obtain the MAC key according to the protection key obtained by the first obtaining module 304, the first key obtained by the first obtaining module 305, sixth preset data, seventh preset data, and eighth preset data;
optionally, the fourth obtaining module 308 includes a fifth computation submodule, a sixth computation submodule, a seventh computation submodule, and a second composition submodule;
correspondingly, the fifth calculating sub-module is configured to calculate the sixth preset number by using the protection key obtained by the first obtaining module 304 and the first key obtained by the first obtaining module 305 to obtain the first part of MAC data;
correspondingly, the sixth calculating sub-module is configured to calculate the seventh preset number by using the protection key obtained by the first obtaining module 304 and the first key obtained by the first obtaining module 305 to obtain the second part of MAC data;
correspondingly, the seventh calculating sub-module is configured to calculate the eighth preset number by using the protection key obtained by the first obtaining module 304 and the first key obtained by the first obtaining module 305 to obtain a third part of MAC data;
correspondingly, the second composition submodule is used for forming an MAC key according to the first part of MAC data obtained by the calculation of the fifth calculation submodule, the second part of MAC data obtained by the calculation of the sixth calculation submodule and the third part of MAC data obtained by the calculation of the seventh calculation submodule;
further, the fifth computation sub-module is specifically configured to obtain fourth intermediate data according to the first key and the sixth preset data obtained by the first obtaining module 305, and obtain a first part of MAC data according to the protection key and the fourth intermediate data obtained by the first obtaining module 304;
correspondingly, the sixth computation submodule is specifically configured to obtain fifth intermediate data according to the first key and the seventh preset data obtained by the first obtaining module 305, and obtain a second part of MAC data according to the protection key and the fifth intermediate data obtained by the first obtaining module 304;
correspondingly, the seventh calculating submodule is specifically configured to obtain sixth intermediate data according to the first key and the eighth preset data obtained by the first obtaining module 305, and obtain a third part of MAC data according to the protection key and the sixth intermediate data obtained by the first obtaining module 304.
A fifth obtaining module 309, configured to obtain the first plaintext data according to the encryption key obtained by the third obtaining module 307, the key block data field obtained by the analysis of the second analyzing module 303, and the key block MAC value obtained by the analysis of the second analyzing module 303;
optionally, the fifth obtaining module 309 includes a first equimolecular module, an eighth calculating submodule, a ninth calculating submodule, a tenth calculating submodule, an eleventh calculating submodule, and a third composing submodule;
correspondingly, the first equator module is configured to equally divide the key block data field obtained through the analysis by the second analysis module 303 into four parts;
correspondingly, the eighth computation submodule is configured to use the encryption key obtained by the third obtaining module 307 to compute the first part obtained by equally dividing the first equivalence module to obtain a first computation result, and compute the first computation result and the key block MAC value obtained by analyzing by the second analyzing module 303 to obtain second plaintext data;
correspondingly, the ninth calculation sub-module is configured to calculate a second part obtained by equally dividing the first equivalence module by using the encryption key obtained by the third obtaining module 307 to obtain a second calculation result, and calculate the second calculation result and the key block MAC value obtained by analyzing by the second analyzing module 303 to obtain third plaintext data;
correspondingly, the tenth computation submodule is configured to use the encryption key obtained by the third obtaining module 307 to compute a third part obtained by equally dividing the first equivalence module to obtain a third computation result, and compute the third computation result and the key block MAC value obtained by analyzing by the second analyzing module 303 to obtain fourth plaintext data;
correspondingly, the eleventh calculating sub-module is configured to calculate a fourth part obtained by equally dividing the first equals module using the encryption key obtained by the third obtaining module 307 to obtain a fourth calculation result, and calculate the fourth calculation result and the MAC value of the key block obtained by analyzing by the second analyzing module 303 to obtain fifth plaintext data;
correspondingly, the third composing sub-module is used for obtaining the first plaintext data according to the second plaintext data obtained by the calculation of the eighth calculating sub-module, the third plaintext data obtained by the calculation of the ninth calculating sub-module, the fourth plaintext data obtained by the calculation of the tenth calculating sub-module and the fifth plaintext data obtained by the calculation of the eleventh calculating sub-module;
further, the first equimolecular module is specifically configured to equally divide the key block data field obtained through analysis by the second analysis module 303 into four parts, namely first key data, second key data, third key data, and fourth key data;
correspondingly, the eighth computation submodule is specifically configured to compute, according to the encryption key obtained by the third obtaining module 307, the first key data obtained by equally dividing the first equivalence module by using the first algorithm to obtain a first computation result, and compute, by using the second algorithm, the first computation result and the key block MAC value obtained by analyzing by the second analyzing module 303 to obtain second plaintext data;
correspondingly, the ninth calculation sub-module is specifically configured to calculate, according to the encryption key obtained by the third obtaining module 307, the second key data obtained by equally dividing the first equivalence module by using the first algorithm to obtain a second calculation result, and calculate, by using the second algorithm, the second calculation result and the key block MAC value obtained by analyzing by the second analyzing module 303 to obtain third plaintext data;
correspondingly, the tenth calculation submodule is specifically configured to calculate, according to the encryption key obtained by the third obtaining module 307, third key data obtained by equally dividing the first equal molecular module by using the first algorithm to obtain a third calculation result, and calculate, by using the second algorithm, the third calculation result and the key block MAC value obtained by the analysis by the second analysis module 303 to obtain fourth plaintext data;
correspondingly, the eleventh calculating sub-module is specifically configured to calculate, according to the encryption key obtained by the third obtaining module 307, fourth key data obtained by equally dividing the first equals module by using the first algorithm to obtain a fourth calculation result, and calculate, by using the second algorithm, the fourth calculation result and the key block MAC value obtained by analyzing by the second analyzing module 303 to obtain fifth plaintext data.
A sixth obtaining module 310, configured to obtain a second MAC value according to the MAC key obtained by the fourth obtaining module 308, the first plaintext data obtained by the fifth obtaining module 309, the key block header field obtained by the analysis of the second analyzing module 303, and the second key obtained by the second obtaining module 306;
optionally, the sixth obtaining module 310 includes a thirteenth calculating sub-module, a second halving sub-module, a fourteenth calculating sub-module, a fifteenth calculating sub-module, a sixteenth calculating sub-module, a seventeenth calculating sub-module, an eighteenth calculating sub-module, and a nineteenth calculating sub-module;
correspondingly, the thirteenth calculating sub-module is configured to calculate the first plaintext data acquired by the second acquiring module 311 and the key block header field obtained by analyzing by the second analyzing module 303 to obtain first reassembly data;
correspondingly, the second equally dividing submodule is used for equally dividing the first recombined data obtained by the calculation of the thirteenth calculating submodule into a sixth part from the second recombined data to the seventh recombined data;
correspondingly, the fourteenth calculating sub-module is configured to calculate the second repeated data obtained by equally dividing the second equally dividing sub-module by using the MAC key obtained by the fourth obtaining module 308 to obtain the first encrypted data;
correspondingly, the fifteenth calculating sub-module is configured to calculate, by using the MAC key obtained by the fourth obtaining module 308, third duplicate data and the first encrypted data obtained by equally dividing the second equally dividing sub-module, so as to obtain second encrypted data;
correspondingly, the sixteenth calculating sub-module is configured to calculate fourth duplicate data and the second encrypted data obtained by equally dividing the second equally-divided sub-module by using the MAC key obtained by the fourth obtaining module 308 to obtain third encrypted data;
correspondingly, the seventeenth calculating sub-module is configured to calculate fifth repeated data and third encrypted data obtained by equally dividing the second equally-divided sub-module by using the MAC key obtained by the fourth obtaining module 308 to obtain fourth encrypted data;
correspondingly, the eighteenth calculating sub-module is configured to calculate sixth repeated data obtained by equally dividing the second equally dividing sub-module and fourth encrypted data obtained by calculating the seventeenth calculating sub-module by using the MAC key obtained by the fourth obtaining module 308 to obtain fifth encrypted data;
correspondingly, the nineteenth calculating sub-module is configured to calculate seventh repeated data obtained by equally dividing the second equally dividing sub-module, fifth encrypted data calculated by the eighteenth calculating sub-module, and the second key obtained by the second obtaining module 306 by using the MAC key obtained by the fourth obtaining module 308 to obtain the second MAC value.
A second obtaining module 311, configured to obtain a symmetric key from the first plaintext data obtained by the fifth obtaining module 309 when the second MAC value obtained by the sixth obtaining module 310 is the same as the MAC value of the key block obtained by the second analyzing module 303;
a storage module 312, configured to store the symmetric key obtained by the second obtaining module 311;
the sending module 313 is used for returning a key transmission success response to the upper computer;
optionally, the apparatus in this embodiment further includes a determining module;
correspondingly, the determining module is configured to determine whether the second MAC value obtained by the sixth obtaining module 310 is the same as the key block MAC value obtained by the second analyzing module 303;
correspondingly, the second obtaining module 311 is specifically configured to, when the determining module determines that the second MAC value obtained by the sixth obtaining module 310 is the same as the MAC value of the key block obtained by the second parsing module 303, obtain the symmetric key from the first plaintext data obtained by the fifth obtaining module 309;
correspondingly, the sending module 313 is further configured to return an error code to the upper computer when the determining module determines that the second MAC value obtained by the sixth obtaining module 310 is different from the key block MAC value obtained by the second parsing module 303.
The embodiment provides a device for obtaining a symmetric key, wherein a user can directly and safely update or upgrade a symmetric secret without returning the device to a factory, when the device receives a key transmission instruction sent by an upper computer, the device analyzes the key transmission instruction to obtain key block data, decrypts the key block data to obtain sensitive data such as the symmetric key, and can conveniently and quickly update or upgrade the sensitive data such as the symmetric key, so that the security of the process of transmitting the sensitive data such as the symmetric key is enhanced. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (22)

1. A method for obtaining a symmetric key, comprising the steps of:
step S1: the method comprises the steps that equipment receives a key transmission instruction sent by an upper computer, and analyzes the key transmission instruction to obtain key block data;
step S2: the device acquires a preset protection key; obtaining a first secret key according to the protection secret key, the first preset data and the second preset data;
step S3: the equipment obtains an encryption key according to the protection key, the first key, the third preset data, the fourth preset data and the fifth preset data; obtaining an MAC key according to the protection key, the first key, sixth preset data, seventh preset data and eighth preset data;
step S4: the device obtains first plaintext data according to the encryption key, the key block data field and the key block MAC value; obtaining a second MAC value according to the MAC key, the first plaintext data, the key block header field and a second key;
step S5: when the second MAC value is the same as the key block MAC value, obtaining and storing a symmetric key from the first plaintext data, and returning a key transmission success response to the upper computer;
between the step S1 and the step S4, the method further includes:
the device analyzes the key block data to obtain a key block header field, a key block data field and a key block MAC value;
before obtaining a second MAC value according to the MAC key, the first plaintext data, the key block header field, and the second key, and after the device obtains a preset protection key, the method further includes:
the equipment calculates according to the protection key, ninth preset data and tenth preset data to obtain a second key;
in step S2, the obtaining a first key according to the protection key, the first preset data, and the second preset data specifically includes:
the equipment calculates first preset data according to the protection key to obtain first data, and obtains a first key according to the first data and second preset data;
the device calculates first preset data according to the protection key to obtain first data, and obtains a first key according to the first data and second preset data, specifically:
the equipment calculates first preset data by using a first algorithm according to the protection key to obtain first data, judges whether the first data needs to be updated or not, if so, updates the first data according to second preset data, and records the updated first data as a first key; otherwise, the first data is recorded as a first key.
2. The method according to claim 1, wherein in step S3, the obtaining an encryption key according to the protection key, the first key, the third preset data, the fourth preset data, and the fifth preset data includes:
the device uses the protection key and the first key to respectively calculate third preset data, fourth preset data and fifth preset data to respectively obtain first part encrypted data, second part encrypted data and third part encrypted data, and an encryption key is formed according to the first part encrypted data, the second part encrypted data and the third part encrypted data.
3. The method according to claim 2, wherein the device calculates third preset data, fourth preset data, and fifth preset data using the protection key and the first key to obtain a first part of encrypted data, a second part of encrypted data, and a third part of encrypted data, respectively, and composes an encryption key according to the first part of encrypted data, the second part of encrypted data, and the third part of encrypted data, specifically:
the equipment obtains first intermediate data according to the first secret key and third preset data, and obtains first part of encrypted data according to the protection secret key and the first intermediate data; obtaining second intermediate data according to the first secret key and fourth preset data, and obtaining second part of encrypted data according to the protection secret key and the second intermediate data; obtaining third intermediate data according to the first secret key and fifth preset data, and obtaining third part of encrypted data according to the protection secret key and the third intermediate data; an encryption key is composed based on the first, second, and third portions of encrypted data.
4. The method according to claim 1, wherein in step S3, the obtaining a MAC key according to the protection key, the first key, the sixth preset data, the seventh preset data, and the eighth preset data specifically includes:
the device calculates sixth preset data, seventh preset data and eighth preset data respectively by using the protection key and the first key to respectively obtain a first part of MAC data, a second part of MAC data and a third part of MAC data, and forms an MAC key according to the first part of MAC data, the second part of MAC data and the third part of MAC data.
5. The method according to claim 4, wherein the device uses the protection key and the first key to calculate sixth preset data, seventh preset data, and eighth preset data respectively to obtain a first part of MAC data, a second part of MAC data, and a third part of MAC data, and forms a MAC key according to the first part of MAC data, the second part of MAC data, and the third part of MAC data, specifically:
the equipment obtains fourth intermediate data according to the first secret key and sixth preset data, and obtains a first part of MAC data according to the protection secret key and the fourth intermediate data; obtaining fifth intermediate data according to the first secret key and seventh preset data, and obtaining a second part of MAC data according to the protection secret key and the fifth intermediate data; obtaining sixth intermediate data according to the first secret key and eighth preset data, and obtaining a third part of MAC data according to the protection secret key and the sixth intermediate data; and forming a MAC key according to the first part of MAC data, the second part of MAC data and the third part of MAC data.
6. The method according to claim 1, wherein in step S4, the device obtains first plaintext data from the encryption key, the key block data field, and the key block MAC value, specifically:
the device equally divides the key block data field into four parts; and respectively calculating four parts of the key block data domain by using the encryption key, respectively calculating a first calculation result, a second calculation result, a third calculation result and a fourth calculation result which are obtained by calculation and the MAC value of the key block, and obtaining first plaintext data according to second plaintext data to fifth plaintext data which are obtained by calculation.
7. The method of claim 6, wherein the device equally divides the key block data field into four parts; using the encryption key to calculate four parts of the key block data domain, calculating a first calculation result, a second calculation result, a third calculation result and a fourth calculation result obtained by calculation with the key block MAC value, and obtaining first plaintext data according to second plaintext data to fifth plaintext data obtained by calculation, specifically:
the device equally divides the key block data field into first key data, second key data, third key data and fourth key data; calculating the first key data by using a first algorithm according to the encryption key to obtain a first calculation result, and calculating the first calculation result and the MAC value of the key block by using a second algorithm to obtain second plaintext data; calculating second key data by using a first algorithm according to the encryption key to obtain a second calculation result, and calculating the second calculation result and the MAC value of the key block by using a second algorithm to obtain third plaintext data; calculating the third key data by using a first algorithm according to the encryption key to obtain a third calculation result, and calculating the third calculation result and the key block MAC value by using a second algorithm to obtain fourth plaintext data; calculating the fourth key data by using a first algorithm according to the encryption key to obtain a fourth calculation result, and calculating the fourth calculation result and the MAC value of the key block by using a second algorithm to obtain fifth plaintext data; and calculating the second plaintext data to the fifth plaintext data by using a third algorithm to obtain first plaintext data.
8. The method according to claim 1, wherein the device performs calculation according to the protection key, the ninth preset data, and the tenth preset data to obtain a second key, specifically:
and the equipment calculates ninth preset data according to the protection key to obtain second data, and obtains a second key according to the second data and tenth preset data.
9. The method according to claim 8, wherein the device calculates ninth preset data according to the protection key to obtain second data, and obtains a second key according to the second data and tenth preset data, specifically:
the device calculates ninth preset data by using a first algorithm according to the protection key to obtain second data, judges whether the second data needs to be updated, if so, updates the second data according to tenth preset data, and records the updated second data as a second key; otherwise, the second data is recorded as a second key.
10. The method according to claim 1, wherein in step S4, the obtaining a second MAC value according to the MAC key, the first plaintext data, the key block header field, and a second key is specifically:
the device calculates the first plaintext data and the key block header field to obtain first regrouping data; equally dividing the first recombined data into sixth parts of second to seventh recombined data; calculating the second recombination data by using the MAC key to obtain first encrypted data; calculating the third grouped data and the first encrypted data by using the MAC key to obtain second encrypted data; calculating the fourth repeated data and the second encrypted data by using the MAC key to obtain third encrypted data; calculating the fifth repeated data and the third encrypted data by using the MAC key to obtain fourth encrypted data; calculating the sixth repeated data and the fourth encrypted data by using the MAC key to obtain fifth encrypted data; and calculating the seventh repeated data, the fifth encrypted data and the second key by using the MAC key to obtain a second MAC value.
11. The method according to claim 1, wherein in step S5, the method further comprises: and the equipment judges whether the second MAC value is the same as the MAC value of the key block, if so, a symmetric key is obtained from the first plaintext data and stored, a key transmission success response is returned to the upper computer, and if not, an error code is returned to the upper computer.
12. A device for obtaining a symmetric key is characterized by comprising a receiving module, a first analyzing module, a second analyzing module, a first obtaining module, a second obtaining module, a third obtaining module, a fourth obtaining module, a fifth obtaining module, a sixth obtaining module, a second obtaining module, a storage module and a sending module;
the receiving module is used for receiving a key transmission instruction sent by the upper computer;
the first analysis module is configured to analyze the key transmission instruction received by the receiving module to obtain key block data;
the second analysis module is used for analyzing the key block data obtained by the analysis of the first analysis module to obtain a key block header field, a key block data field and a key block MAC value;
the first obtaining module is used for obtaining a preset protection key;
the first obtaining module is configured to obtain a first key according to the protection key, the first preset data, and the second preset data obtained by the first obtaining module;
the second obtaining module is configured to calculate according to the protection key, the ninth preset data, and the tenth preset data obtained by the first obtaining module to obtain a second key;
the third obtaining module is configured to obtain an encryption key according to the protection key obtained by the first obtaining module, the first key, third preset data, fourth preset data, and fifth preset data obtained by the first obtaining module;
the fourth obtaining module is configured to obtain an MAC key according to the protection key obtained by the first obtaining module, the first key obtained by the first obtaining module, sixth preset data, seventh preset data, and eighth preset data;
the fifth obtaining module is configured to obtain first plaintext data according to the encryption key obtained by the third obtaining module, the key block data field obtained through analysis by the second analyzing module, and the key block MAC value obtained through analysis by the second analyzing module;
the sixth obtaining module is configured to obtain a second MAC value according to the MAC key obtained by the fourth obtaining module, the first plaintext data obtained by the fifth obtaining module, the key block header field obtained by the analysis of the second analyzing module, and the second key obtained by the second obtaining module;
the second obtaining module is configured to obtain a symmetric key from the first plaintext data obtained by the fifth obtaining module when the second MAC value obtained by the sixth obtaining module is the same as the MAC value of the key block obtained by the second parsing module;
the storage module is configured to store the symmetric key obtained by the second obtaining module;
the sending module is used for returning a key transmission success response to the upper computer;
the first obtaining module comprises a first calculating submodule and a first obtaining submodule;
the first calculation submodule is configured to calculate first preset data according to the protection key acquired by the first acquisition module to obtain first data;
the first obtaining submodule is used for obtaining a first key according to the first data and second preset data obtained by the first calculating submodule through calculation;
the first obtaining submodule comprises a first judging unit, a first updating unit, a first recording unit and a second recording unit;
the first calculation submodule is specifically configured to calculate first preset data by using a first algorithm according to the protection key acquired by the first acquisition module to obtain first data;
the first judging unit is configured to judge whether the first data calculated by the first calculating submodule needs to be updated;
the first updating unit is configured to update the first data calculated by the first calculating submodule according to second preset data when the first judging unit judges that the first data is positive;
the first recording unit is used for recording the first data updated by the first updating unit as a first key;
the second recording unit is configured to record the first data calculated by the first calculation submodule as a first key when the first judgment unit judges that the first data is negative.
13. The apparatus of claim 12, wherein the third derivation module comprises a second computation submodule, a third computation submodule, a fourth computation submodule, and a first composition submodule;
the second calculation submodule is configured to calculate a third preset number by using the protection key obtained by the first obtaining module and the first key obtained by the first obtaining module to obtain a first part of encrypted data;
the third calculation submodule is configured to calculate a fourth preset number by using the protection key obtained by the first obtaining module and the first key obtained by the first obtaining module to obtain second part of encrypted data;
the fourth calculation submodule is configured to calculate a fifth preset number by using the protection key obtained by the first obtaining module and the first key obtained by the first obtaining module to obtain a third part of encrypted data;
the first composition submodule is configured to compose an encryption key according to the first part of encrypted data calculated by the second calculation submodule, the second part of encrypted data calculated by the third calculation submodule, and the third part of encrypted data calculated by the fourth calculation submodule.
14. The device according to claim 13, wherein the second computation submodule is specifically configured to obtain first intermediate data according to the first key and third preset data obtained by the first obtaining module, and obtain first part of encrypted data according to the protection key and the first intermediate data obtained by the first obtaining module;
the third calculation submodule is specifically configured to obtain second intermediate data according to the first key and fourth preset data obtained by the first obtaining module, and obtain second part of encrypted data according to the protection key and the second intermediate data obtained by the first obtaining module;
the fourth calculation sub-module is specifically configured to obtain third intermediate data according to the first key and fifth preset data obtained by the first obtaining module, and obtain a third part of encrypted data according to the protection key and the third intermediate data obtained by the first obtaining module.
15. The apparatus of claim 12, wherein the fourth derivation module comprises a fifth computation submodule, a sixth computation submodule, a seventh computation submodule, and a second composition submodule;
the fifth calculation submodule is configured to calculate a sixth preset number by using the protection key obtained by the first obtaining module and the first key obtained by the first obtaining module to obtain a first part of MAC data;
the sixth calculating submodule is configured to calculate a seventh preset number by using the protection key obtained by the first obtaining module and the first key obtained by the first obtaining module to obtain a second part of MAC data;
the seventh calculation submodule is configured to calculate an eighth preset number by using the protection key obtained by the first obtaining module and the first key obtained by the first obtaining module to obtain a third part of MAC data;
the second composition submodule is configured to compose an MAC key according to the first part of MAC data calculated by the fifth calculation submodule, the second part of MAC data calculated by the sixth calculation submodule, and the third part of MAC data calculated by the seventh calculation submodule.
16. The device according to claim 15, wherein the fifth computation submodule is specifically configured to obtain fourth intermediate data according to the first key and sixth preset data obtained by the first obtaining module, and obtain a first part of MAC data according to the protection key and fourth intermediate data obtained by the first obtaining module;
the sixth computation submodule is specifically configured to obtain fifth intermediate data according to the first key and seventh preset data obtained by the first obtaining module, and obtain a second part of MAC data according to the protection key and the fifth intermediate data obtained by the first obtaining module;
the seventh calculation submodule is specifically configured to obtain sixth intermediate data according to the first key and eighth preset data obtained by the first obtaining module, and obtain a third part of MAC data according to the protection key and the sixth intermediate data obtained by the first obtaining module.
17. The apparatus of claim 12, wherein the fifth derivation module includes a first equimolecular module, an eighth computation submodule, a ninth computation submodule, a tenth computation submodule, an eleventh computation submodule, and a third composition submodule;
the first equal molecular module is configured to equally divide the key block data field obtained through analysis by the second analysis module into four parts;
the eighth calculation submodule is configured to calculate a first part obtained by equally dividing the first equal molecular module by using the encryption key obtained by the third obtaining module to obtain a first calculation result, and calculate the first calculation result and the key block MAC value obtained by analyzing by the second analyzing module to obtain second plaintext data;
the ninth calculation submodule is configured to calculate a second part obtained by equally dividing the first equals module using the encryption key obtained by the third obtaining module to obtain a second calculation result, and calculate the second calculation result and the key block MAC value obtained by analyzing by the second analyzing module to obtain third plaintext data;
the tenth calculation submodule is configured to calculate a third part obtained by equally dividing the first equivalence module by using the encryption key obtained by the third obtaining module to obtain a third calculation result, and calculate the third calculation result and the key block MAC value obtained by analyzing by the second analysis module to obtain fourth plaintext data;
the eleventh calculation sub-module is configured to calculate a fourth part obtained by equally dividing the first equal molecular module by using the encryption key obtained by the third obtaining module to obtain a fourth calculation result, and calculate the fourth calculation result and the key block MAC value obtained by analyzing by the second analyzing module to obtain fifth plaintext data;
the third composing submodule is configured to obtain first plaintext data according to the second plaintext data calculated by the eighth calculating submodule, the third plaintext data calculated by the ninth calculating submodule, the fourth plaintext data calculated by the tenth calculating submodule, and the fifth plaintext data calculated by the eleventh calculating submodule.
18. The apparatus according to claim 17, wherein the first parsing module is specifically configured to equally divide the key block data field obtained by parsing by the second parsing module into four parts, namely first key data, second key data, third key data, and fourth key data;
the eighth calculation submodule is specifically configured to calculate, according to the encryption key obtained by the third obtaining module, the first key data obtained by equally dividing the first equal molecular module by using a first algorithm to obtain a first calculation result, and calculate, by using a second algorithm, the first calculation result and the key block MAC value obtained by analyzing by the second analyzing module to obtain second plaintext data;
the ninth calculation submodule is specifically configured to calculate, according to the encryption key obtained by the third obtaining module, the second key data obtained by equally dividing the first equal molecular module by using a first algorithm to obtain a second calculation result, and calculate, by using a second algorithm, the second calculation result and the key block MAC value obtained by analyzing by the second analyzing module to obtain third plaintext data;
the tenth calculation submodule is specifically configured to calculate, according to the encryption key obtained by the third obtaining module, the third key data obtained by equally dividing the first equal-molecular module by using a first algorithm to obtain a third calculation result, and calculate, by using a second algorithm, the third calculation result and the key block MAC value obtained by the analysis of the second analysis module to obtain fourth plaintext data;
the eleventh calculation sub-module is specifically configured to calculate, according to the encryption key obtained by the third obtaining module, the fourth key data obtained by equally dividing the first equal molecular module by using a first algorithm to obtain a fourth calculation result, and calculate, by using a second algorithm, the fourth calculation result and the key block MAC value obtained by the analysis by the second analysis module to obtain fifth plaintext data.
19. The apparatus of claim 12, wherein the second derivation module comprises a twelfth computation submodule and a second derivation submodule;
the twelfth calculating submodule is configured to calculate ninth preset data according to the protection key acquired by the first acquiring module to obtain second data;
the second obtaining submodule is configured to obtain a second key according to the second data and tenth preset data obtained through calculation by the twelfth calculating submodule.
20. The apparatus of claim 19, wherein the second obtaining submodule includes a second determining unit, a second updating unit, a third recording unit, and a fourth recording unit;
the twelfth calculating submodule is specifically configured to calculate ninth preset data by using a first algorithm according to the protection key acquired by the first acquiring module to obtain second data;
the second judging unit is configured to judge whether the second data calculated by the twelfth calculating sub-module needs to be updated;
the second updating unit is configured to update the second data calculated by the twelfth calculating submodule according to tenth preset data when the second determination unit determines that the second determination;
the third recording unit is used for recording the second data updated by the second updating unit as a second key;
and the fourth recording unit is configured to record the second data obtained by the calculation of the twelfth calculating sub-module as a second key.
21. The apparatus of claim 12, wherein the sixth derivation module includes a thirteenth calculation sub-module, a second bisection sub-module, a fourteenth calculation sub-module, a fifteenth calculation sub-module, a sixteenth calculation sub-module, a seventeenth calculation sub-module, an eighteenth calculation sub-module, and a nineteenth calculation sub-module;
the thirteenth calculating sub-module is configured to calculate the first plaintext data acquired by the second acquiring module and the key block header field obtained by analysis by the second analyzing module to obtain first reassembly data;
the second equally dividing submodule is used for equally dividing the first recombined data obtained by the calculation of the thirteenth calculating submodule into a sixth part from second recombined data to seventh recombined data;
the fourteenth calculating sub-module is configured to calculate the second re-grouping data obtained by equally dividing the second equally dividing sub-module by using the MAC key obtained by the fourth obtaining module to obtain first encrypted data;
the fifteenth calculation submodule is configured to calculate, by using the MAC key obtained by the fourth obtaining module, the third packet data and the first encrypted data obtained by equally dividing the second equally dividing submodule, so as to obtain second encrypted data;
the sixteenth calculating sub-module is configured to calculate, by using the MAC key obtained by the fourth obtaining module, the fourth repeated data and the second encrypted data obtained by equally dividing the second equally dividing sub-module, so as to obtain third encrypted data;
the seventeenth calculating sub-module is configured to calculate, by using the MAC key obtained by the fourth obtaining module, the fifth re-grouping data and the third encrypted data obtained by equally dividing the second equally dividing sub-module, so as to obtain fourth encrypted data;
the eighteenth calculation submodule is configured to calculate sixth repeated data obtained by equally dividing the second equally dividing submodule and fourth encrypted data obtained by calculating the seventeenth calculation submodule by using the MAC key obtained by the fourth obtaining module to obtain fifth encrypted data;
the nineteenth calculating sub-module is configured to calculate, by using the MAC key obtained by the fourth obtaining module, the seventh repeated data obtained by equally dividing the second equally dividing sub-module, the fifth encrypted data calculated by the eighteenth calculating sub-module, and the second key obtained by the second obtaining module, so as to obtain a second MAC value.
22. The apparatus of claim 12, further comprising a determination module;
the judging module is configured to judge whether the second MAC value obtained by the sixth obtaining module is the same as the MAC value of the key block obtained by the second analyzing module;
the second obtaining module is specifically configured to, when the determining module determines that the second MAC value obtained by the sixth obtaining module is the same as the MAC value of the key block obtained by the second parsing module, obtain a symmetric key from the first plaintext data obtained by the fifth obtaining module;
and the sending module is further configured to return an error code to the upper computer when the judging module judges that the second MAC value obtained by the sixth obtaining module is different from the key block MAC value obtained by the second analyzing module.
CN201810930698.5A 2018-08-15 2018-08-15 Method and equipment for obtaining symmetric key Active CN109150510B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810930698.5A CN109150510B (en) 2018-08-15 2018-08-15 Method and equipment for obtaining symmetric key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810930698.5A CN109150510B (en) 2018-08-15 2018-08-15 Method and equipment for obtaining symmetric key

Publications (2)

Publication Number Publication Date
CN109150510A CN109150510A (en) 2019-01-04
CN109150510B true CN109150510B (en) 2021-03-16

Family

ID=64789685

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810930698.5A Active CN109150510B (en) 2018-08-15 2018-08-15 Method and equipment for obtaining symmetric key

Country Status (1)

Country Link
CN (1) CN109150510B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111565206B (en) * 2020-07-16 2020-10-16 飞天诚信科技股份有限公司 Method and terminal for safely transmitting secret key

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051446A (en) * 2012-12-26 2013-04-17 公安部第一研究所 Key encryption and storage method
CN103475474A (en) * 2013-08-28 2013-12-25 华为技术有限公司 Method for providing and acquiring shared enciphered data and identity authentication equipment
CN105897748A (en) * 2016-05-27 2016-08-24 飞天诚信科技股份有限公司 Symmetric secrete key transmission method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030115452A1 (en) * 2000-12-19 2003-06-19 Ravi Sandhu One time password entry to access multiple network sites
US10341102B2 (en) * 2016-09-02 2019-07-02 Blackberry Limited Decrypting encrypted data on an electronic device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051446A (en) * 2012-12-26 2013-04-17 公安部第一研究所 Key encryption and storage method
CN103475474A (en) * 2013-08-28 2013-12-25 华为技术有限公司 Method for providing and acquiring shared enciphered data and identity authentication equipment
CN105897748A (en) * 2016-05-27 2016-08-24 飞天诚信科技股份有限公司 Symmetric secrete key transmission method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
IEEE802.11i密钥管理机制的分析与改进;孟彦;《中国优秀硕士学位论文全文数据库》;20180615;全文 *

Also Published As

Publication number Publication date
CN109150510A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
CN108200028B (en) Method and system for safely acquiring trusted data of server by using block chain
CN109560931B (en) Equipment remote upgrading method based on certificate-free system
CN101977193B (en) Method and system for safely downloading certificate
US20130010955A1 (en) Method for implementing an encryption engine
CN111131278B (en) Data processing method and device, computer storage medium and electronic equipment
CN107888381B (en) Method, device and system for realizing key import
CN109067814B (en) Media data encryption method, system, device and storage medium
US9288051B2 (en) Secure key management
CN105897748B (en) A kind of transmission method and equipment of symmetric key
CN101964791A (en) Communication authenticating system and method of client and WEB application
CN113114621B (en) Communication method for bus dispatching system and bus dispatching system
CN110190950B (en) Method and device for realizing security signature
CN102970676B (en) A kind of method handled initial data, Internet of things system and terminal
CN113868672B (en) Module wireless firmware upgrading method, security chip and wireless firmware upgrading platform
CN110417544B (en) Root key generation method, device and medium
US9351022B2 (en) Realization method, device, and system for broadcast service grouping
CN103563289A (en) Protecting control vector in cryptographic system
CN109150510B (en) Method and equipment for obtaining symmetric key
CN112383522B (en) Function parameter data transmission encryption method, system, device and readable storage medium
CN110381046A (en) A kind of encrypted transmission method of GNSS data
CN111565206B (en) Method and terminal for safely transmitting secret key
CN108563927A (en) A kind of packaging ciphering method of host upgrading software
CN108615155B (en) Method for identifying integrity of transaction information
CN115909560A (en) Data encryption method, data decryption method and door lock system
CN109586906B (en) Communication device and method and system for negotiating key with terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant