CN109245899A - One kind being based on the novel trust chain design method of SM9 cryptographic algorithm - Google Patents
One kind being based on the novel trust chain design method of SM9 cryptographic algorithm Download PDFInfo
- Publication number
- CN109245899A CN109245899A CN201811035759.8A CN201811035759A CN109245899A CN 109245899 A CN109245899 A CN 109245899A CN 201811035759 A CN201811035759 A CN 201811035759A CN 109245899 A CN109245899 A CN 109245899A
- Authority
- CN
- China
- Prior art keywords
- entity
- verified
- signature
- key
- tpm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The invention discloses one kind to be based on the novel trust chain design method of SM9 cryptographic algorithm, and design cycle includes initialization, establishes key mapping table, generates signing messages and measurement verifying.The beneficial effects of the present invention are: (1) the expection metric of entity using digital signature technology that identity-based identify is protected, the integrality and authenticity of entity information are effectively protected.(2) under conditions of no introducing CA certificate system, directly using TPM as trusted root, while SM9 cryptographic algorithm is introduced, generates center for TPM as key, realized the process of digital signature and verifying signature, ensure that the secure and trusted of whole process.
Description
Technical field
The present invention relates to trust computing fields, in particular to a kind of to be based on the novel trust chain design method of SM9 cryptographic algorithm.
Background technique
(1) trust chain designing technique
The transmitting of trust chain is always the research hotspot in trust computing field, is widely used that TPM2.0 in the world at present
Standard, Trusted Computing Group are proposed with TPM as credible measurement root, by measurement before loading and trust the method transmitted step by step,
Level-one verifies level-one, and level-one trusts level-one, realizes the measurement verifying of the software from hardware trusted root to application program, ensure that letter
Appoint each component in chain transmittance process not to be tampered, solves the security risk in platform start-up course substantially.Traditional trust mould
For type as shown in Figure 1, traditional trust chain model defines relatively simple, basic function is to measure, verify, jumping, and is tested in measurement
During card, the integrality of cryptographic Hash verifying various components is utilized.But the continuous change of the requirement with product to information security
Change, transmitting the security mechanism of trust chain based on this mode, there are biggish security risks, including firmware is modified, communication data
It is stolen, configuration register is reset.The method that presently relevant document points out signature and verifying signature using common public key
This kind of attack can be effectively defendd, but must be introduced into CA certificate management system using such methods, increases application process
Complexity.
(2) SM9 cryptographic algorithm
SM9 cryptographic algorithm is the id password algorithm based on Bilinear map of the newest announcement in China, is that one kind is different from biography
The id password algorithm of system public key algorithm mainly includes Digital Signature Algorithm, Diffie-Hellman, key encapsulation algorithm, public key
Enciphering and deciphering algorithm.Marking algorithm system can be using effective mark of entity as public key, and user is without application and exchanges certificate, from
And substantially reduce the complexity of security system.Its is very widely used, and the safety such as Various types of data encryption, authentication may be implemented
Service.Such as the encryption of intelligent terminal safety, Internet of Things secure communication, mobile payment etc..
Summary of the invention
The present invention for current trust computing trust chain there are the shortcomings that, the advantage in conjunction with existing for SM9 algorithm proposes to be based on
The design method of the novel trust chain of the trust computing of SM9 signature sign test algorithm.
The purpose of the present invention is achieved through the following technical solutions: one kind being based on the novel trust chain of SM9 cryptographic algorithm
Design method, design cycle are as follows:
1) it initializes
TPM chip factory Initialize installation is arranged SM9 key and generates according to the algorithm flow of SM9, signature algorithm, verifying
The open parameter of signature algorithm;
2) key mapping table is established
Center KGC is generated using TPM as trusted party key, is IDi by the identity marks of the single component on trust chain,
Trusted path is denoted as IDT=(ID from trusted root to the module ordered nodes sequence for being currently verified signature1, ID2,
...IDn), before loading each component, authentication looks into whether initiating sequence meets expection first, is distributed and is signed according to id information
Private key and public key during name sign test, use QiRepresent IDiThe public key of the corresponding verifying signature of component, uses diRepresent IDiGroup
The corresponding private key for user of part, utilizes mapping table (IDi, Qi, di) form is stored in TPM;
3) signing messages is generated
It generates the process of signing messages: during firmware downloading, Hash operation being carried out to firmware, searches key mapping
Table signs to Hash result according to SM9 signature algorithm process using user's signature private key, generates the A.L.S. of each entity
Breath, last and original entity information are combined encapsulation;
4) measurement verifying
The information of the entity and entity to be verified that have verified that, and the process of measurement verifying:
1. having verified that the data of entity to be verified are sent to TPM by function program by entity, the ID including current entity
With the information such as ID of firmware code, next entity;
2. after TPM gets id information, searching key mapping table, obtaining corresponding public key, while to being sent in the first step
The data to come over carry out Hash operation, and the public key of data and corresponding verifying signature after Hash is issued the entity having verified that;
3. the entity having verified that reads entity signing messages to be verified and verified, the public key pair of entity to be verified is utilized
Signing messages is verified;
4. being verified, user key mapping table is saved after notifying TPM, TPM to receive information;If verifying not over,
Current user key information is deleted, measurement is re-started.
The beneficial effects of the present invention are:
(1) technical protection of the digital signature expected metric of entity is utilized
Signature operation is carried out to the Hash of primary entities information using the technology of digital signature, effectively protects entity letter
The integrality and authenticity of breath;
(2) without under conditions of ca authentication, completing the operation that signature is signed and verified in trust chain
Under conditions of no introducing CA certificate system, directly it regard TPM as trusted root, while introducing the calculation of SM9 password
TPM is generated center by method, realizes the process of digital signature and verifying signature, ensure that the safety of whole process
It is credible, improve efficiency.
Detailed description of the invention
Fig. 1 is to trust chain model;
Fig. 2 is signature process;
Fig. 3 is the flow chart that upper level measures next stage;
Fig. 4 is verification process.
Specific embodiment
Technical solution of the present invention is described in further detail with reference to the accompanying drawing, but protection scope of the present invention is not limited to
It is as described below.
One kind being based on the novel trust chain design method of SM9 cryptographic algorithm, and design cycle is as follows:
1) it initializes
TPM chip factory Initialize installation is arranged SM9 key and generates according to the algorithm flow of SM9, signature algorithm, verifying
The open parameter of signature algorithm;
2) key mapping table is established
Center KGC is generated using TPM as trusted party key, is ID by the identity marks of the single component on trust chaini,
Trusted path is denoted as IDT=(ID from trusted root to the module ordered nodes sequence for being currently verified signature1, ID2,
...IDn), before loading each component, authentication looks into whether initiating sequence meets expection first, is distributed and is signed according to id information
Private key and public key during name sign test, use QiRepresent IDiThe public key of the corresponding verifying signature of component, uses diRepresent IDiGroup
The corresponding private key for user of part, utilizes mapping table (IDi, Qi, di) form is stored in TPM;
3) signing messages is generated
The process of signing messages is generated as shown in Fig. 2, carrying out Hash operation during firmware downloading to firmware, looking into
Key mapping table is looked for, is signed to Hash result according to SM9 signature algorithm process using user's signature private key, generates each reality
The signing messages of body, last and original entity information are combined encapsulation;
4) measurement verifying
The information of the entity and entity to be verified that have verified that, and the process of measurement verifying are as shown in Figure 3;
1. having verified that the data of entity to be verified are sent to TPM by function program by entity, the ID including current entity
With the information such as ID of firmware code, next entity;
2. after TPM gets id information, searching key mapping table, obtaining corresponding public key, while to being sent in the first step
The data to come over carry out Hash operation, and the public key of data and corresponding verifying signature after Hash is issued the entity having verified that;
3. the entity having verified that reads entity signing messages to be verified and verified, the public key pair of entity to be verified is utilized
Signing messages is verified, and specific verifying process is as shown in Figure 4;
4. being verified, user key mapping table is saved after notifying TPM, TPM to receive information;If verifying not over,
Current user key information is deleted, measurement is re-started.
Invention introduces the mechanism of identity-based identification signature and verifying signature, are weighed to trust chain establishment process
New design.Trusted party is generated using TPM as root of trust and identity key, using SM9 digital signature sign test mechanism and
The integrality and authenticity of data integrity verifying mechanism verifying starting entity, establish a safe and reliable trust chain, together
When this method be also applied for in trust chain entity carry out security update, solve trust chain establish and entity renewal process
Present in safety problem.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, it is noted that all
Made any modifications, equivalent replacements, and improvements etc. within the spirit and principles in the present invention should be included in guarantor of the invention
Within the scope of shield.
Claims (1)
1. one kind is based on the novel trust chain design method of SM9 cryptographic algorithm, which is characterized in that design cycle is as follows:
1) it initializes
TPM chip factory Initialize installation is arranged SM9 key and generates according to the algorithm flow of SM9, signature algorithm, verifying signature
The open parameter of algorithm;
2) key mapping table is established
Center KGC is generated using TPM as trusted party key, is ID by the identity marks of the single component on trust chaini, can
Believe that path is denoted as IDT=(ID from trusted root to the module ordered nodes sequence for being currently verified signature1, ID2... IDn),
Before loading each component, authentication looks into whether initiating sequence meets expection first, distributes signature sign test mistake according to id information
Private key and public key in journey, use QiRepresent IDiThe public key of the corresponding verifying signature of component, uses diRepresent IDiComponent is corresponding
Private key for user utilizes mapping table (IDi, Qi, di) form is stored in TPM;
3) signing messages is generated
It generates the process of signing messages: during firmware downloading, Hash operation being carried out to firmware, searches key mapping table,
It is signed to Hash result according to SM9 signature algorithm process using user's signature private key, generates the signing messages of each entity,
Last and original entity information is combined encapsulation;
4) measurement verifying
The information of the entity and entity to be verified that have verified that, and the process of measurement verifying:
1. having verified that the data of entity to be verified are sent to TPM by function program by entity, the ID including current entity and solid
The information such as ID of part code, next entity;
2. after TPM gets id information, searching key mapping table, obtaining corresponding public key, while to being sended in the first step
Data carry out Hash operation, after Hash data and it is corresponding verifying signature public key issue the entity having verified that;
3. the entity having verified that reads entity signing messages to be verified and is verified, using the public key of entity to be verified to signature
Information is verified;
4. being verified, user key mapping table is saved after notifying TPM, TPM to receive information;If verifying is not over deleting
Current user key information, re-starts measurement.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811035759.8A CN109245899B (en) | 2018-09-06 | 2018-09-06 | Trust chain design method based on SM9 cryptographic algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811035759.8A CN109245899B (en) | 2018-09-06 | 2018-09-06 | Trust chain design method based on SM9 cryptographic algorithm |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109245899A true CN109245899A (en) | 2019-01-18 |
CN109245899B CN109245899B (en) | 2021-03-16 |
Family
ID=65060977
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811035759.8A Active CN109245899B (en) | 2018-09-06 | 2018-09-06 | Trust chain design method based on SM9 cryptographic algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109245899B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109871694A (en) * | 2019-03-14 | 2019-06-11 | 沈昌祥 | A kind of staticametric method based on dual Architecture credible calculating platform |
CN111143887A (en) * | 2019-12-26 | 2020-05-12 | 海光信息技术有限公司 | Safety control method, processor, integrated device and computer equipment |
CN111241548A (en) * | 2020-01-07 | 2020-06-05 | 天津飞腾信息技术有限公司 | Computer starting method |
CN112054895A (en) * | 2020-08-10 | 2020-12-08 | 国电南瑞科技股份有限公司 | Trusted root construction method and application |
WO2021249359A1 (en) * | 2020-06-09 | 2021-12-16 | 华为技术有限公司 | Data integrity protection method and apparatus |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101122936A (en) * | 2007-09-21 | 2008-02-13 | 武汉大学 | Embed type platform guiding of credible mechanism |
CN101145906A (en) * | 2006-09-13 | 2008-03-19 | 北京邦天科技有限公司 | Method and system for authenticating legality of receiving terminal in unidirectional network |
CN101257386A (en) * | 2008-03-11 | 2008-09-03 | 南京邮电大学 | Dynamic accesses control method based on trust model |
CN101369889A (en) * | 2007-08-13 | 2009-02-18 | 深圳兆日技术有限公司 | System and method for electronic endorsement of document |
US20140380031A1 (en) * | 2013-06-24 | 2014-12-25 | Red Hat, Inc. | System wide root of trust chaining via signed applications |
CN105930733A (en) * | 2016-04-18 | 2016-09-07 | 浪潮集团有限公司 | Trust chain construction method and apparatus |
-
2018
- 2018-09-06 CN CN201811035759.8A patent/CN109245899B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101145906A (en) * | 2006-09-13 | 2008-03-19 | 北京邦天科技有限公司 | Method and system for authenticating legality of receiving terminal in unidirectional network |
CN101369889A (en) * | 2007-08-13 | 2009-02-18 | 深圳兆日技术有限公司 | System and method for electronic endorsement of document |
CN101122936A (en) * | 2007-09-21 | 2008-02-13 | 武汉大学 | Embed type platform guiding of credible mechanism |
CN101257386A (en) * | 2008-03-11 | 2008-09-03 | 南京邮电大学 | Dynamic accesses control method based on trust model |
US20140380031A1 (en) * | 2013-06-24 | 2014-12-25 | Red Hat, Inc. | System wide root of trust chaining via signed applications |
CN105930733A (en) * | 2016-04-18 | 2016-09-07 | 浪潮集团有限公司 | Trust chain construction method and apparatus |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109871694A (en) * | 2019-03-14 | 2019-06-11 | 沈昌祥 | A kind of staticametric method based on dual Architecture credible calculating platform |
CN109871694B (en) * | 2019-03-14 | 2019-11-08 | 沈昌祥 | A kind of staticametric method based on dual Architecture credible calculating platform |
CN111143887A (en) * | 2019-12-26 | 2020-05-12 | 海光信息技术有限公司 | Safety control method, processor, integrated device and computer equipment |
CN111143887B (en) * | 2019-12-26 | 2022-05-24 | 海光信息技术股份有限公司 | Safety control method, processor, integrated device and computer equipment |
CN111241548A (en) * | 2020-01-07 | 2020-06-05 | 天津飞腾信息技术有限公司 | Computer starting method |
WO2021249359A1 (en) * | 2020-06-09 | 2021-12-16 | 华为技术有限公司 | Data integrity protection method and apparatus |
CN112054895A (en) * | 2020-08-10 | 2020-12-08 | 国电南瑞科技股份有限公司 | Trusted root construction method and application |
Also Published As
Publication number | Publication date |
---|---|
CN109245899B (en) | 2021-03-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109245899A (en) | One kind being based on the novel trust chain design method of SM9 cryptographic algorithm | |
CN103118027B (en) | The method of TLS passage is set up based on the close algorithm of state | |
CN109729523B (en) | Terminal networking authentication method and device | |
CN102594558B (en) | Anonymous digital certificate system and verification method of trustable computing environment | |
CN101300808B (en) | Method and arrangement for secure autentication | |
FI122847B (en) | Procedure and system for secure registration of a Public Key Infrastructure (PKI) key in a mobile environment | |
CN102036242B (en) | Access authentication method and system in mobile communication network | |
CN106327184A (en) | Intelligent mobile terminal payment system and intelligent mobile terminal payment method based on safe hardware isolation | |
CN107133520B (en) | Credibility measuring method and device for cloud computing platform | |
CN106227503A (en) | Safety chip COS firmware update, service end, terminal and system | |
CN106230813B (en) | Method for authenticating, authentication device and terminal | |
CN102024107A (en) | Application software control platform, developer terminal as well as application software distribution system and method | |
CN109687965A (en) | The real name identification method of subscriber identity information in a kind of protection network | |
CN109005032B (en) | Routing method and device | |
CN107809311A (en) | The method and system that a kind of unsymmetrical key based on mark is signed and issued | |
CN108964892A (en) | Generation method, application method, management system and the application system of trusted application mark | |
KR101856682B1 (en) | Entity authentication method and device | |
CN106656993B (en) | Dynamic verification code verification method and device | |
CN107277020A (en) | The system and method for remote validation mobile device legitimacy based on public private key system | |
CN107360124A (en) | Access authentication method and device, WAP and user terminal | |
CN104901804A (en) | User autonomy-based identity authentication implementation method | |
CN110650478A (en) | OTA method, system, device, SE module, program server and medium | |
CN110247759A (en) | A kind of SM9 private key generates and application method and system | |
CN110278084B (en) | eID establishing method, related device and system | |
CN104735064B (en) | The method that safety is cancelled and updated is identified in a kind of id password system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |