CN109245899B - Trust chain design method based on SM9 cryptographic algorithm - Google Patents

Trust chain design method based on SM9 cryptographic algorithm Download PDF

Info

Publication number
CN109245899B
CN109245899B CN201811035759.8A CN201811035759A CN109245899B CN 109245899 B CN109245899 B CN 109245899B CN 201811035759 A CN201811035759 A CN 201811035759A CN 109245899 B CN109245899 B CN 109245899B
Authority
CN
China
Prior art keywords
entity
signature
information
verified
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811035759.8A
Other languages
Chinese (zh)
Other versions
CN109245899A (en
Inventor
李雨励
饶金涛
李军
梅瑞
何卫国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu 30javee Microelectronics Co ltd
Original Assignee
Chengdu 30javee Microelectronics Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu 30javee Microelectronics Co ltd filed Critical Chengdu 30javee Microelectronics Co ltd
Priority to CN201811035759.8A priority Critical patent/CN109245899B/en
Publication of CN109245899A publication Critical patent/CN109245899A/en
Application granted granted Critical
Publication of CN109245899B publication Critical patent/CN109245899B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a trust chain design method based on SM9 cryptographic algorithm, which comprises the steps of initializing, establishing a key mapping table, generating signature information and measuring and verifying. The invention has the beneficial effects that: (1) the expected metric value of the entity is protected by using the digital signature technology based on the identity, and the integrity and the authenticity of the entity information are effectively protected. (2) Under the condition that a CA certificate system is not introduced, the TPM is directly used as a trusted root, meanwhile, an SM9 cryptographic algorithm is introduced, and the TPM is used as a key generation center, so that the processes of digital signature and signature verification are realized, and the safety and the credibility of the whole process are ensured.

Description

Trust chain design method based on SM9 cryptographic algorithm
Technical Field
The invention relates to the field of trusted computing, in particular to a novel trust chain design method based on an SM9 cryptographic algorithm.
Background
(1) Trust chain design techniques
The transmission of a trust chain is always a research hotspot in the field of trusted computing, the TPM2.0 standard is widely used internationally at present, trusted computing organizations propose methods which take the TPM as a trusted measurement root and carry out measurement before loading and trust step-by-step transmission, carry out primary verification and primary trust step-by-step, realize measurement verification from a hardware trusted root to software of an application program, ensure that each component in the transmission process of the trust chain is not tampered, and basically solve the potential safety hazard in the starting process of a platform. The traditional trust model is as shown in fig. 1, the traditional trust chain model has a single definition, and its basic functions are measurement, verification, and jumping, and in the measurement verification process, the integrity of each component is verified by using hash values. However, with the continuous change of the requirements of products on information security, the security mechanism based on the mode for transmitting the trust chain has a great potential safety hazard, including that the firmware is modified, the communication data is stolen, and the configuration register is reset. The related documents indicate that the signature using the common public key and the method for verifying the signature can effectively defend against the attack, but the CA certificate management system must be introduced by adopting the method, so that the complexity of the application process is increased.
(2) SM9 cryptographic algorithm
The SM9 cryptographic algorithm is a bilinear pairing-based identification cryptographic algorithm newly published in China, is an identification cryptographic algorithm different from the traditional public key algorithm, and mainly comprises a digital signature algorithm, a key exchange algorithm, a key encapsulation algorithm and a public key encryption and decryption algorithm. The identification algorithm system can use the effective identification of the entity as a public key, and a user does not need to apply for and exchange certificates, thereby greatly reducing the complexity of the security system. The method has wide application, and can realize security services such as various data encryption, identity authentication and the like. For example, the intelligent terminal security encryption, the internet of things security communication, the mobile payment and the like.
Disclosure of Invention
Aiming at the defects of the existing trusted computing trust chain, the invention provides a novel trusted computing trust chain design method based on the SM9 signature verification algorithm by combining the advantages of the SM9 algorithm.
The purpose of the invention is realized by the following technical scheme: a novel trust chain design method based on SM9 cryptographic algorithm comprises the following design processes:
1) initialization
Factory initialization setting of the TPM chip, setting public parameters of SM9 key generation, signature algorithm and signature verification algorithm according to the algorithm flow of SM 9;
2) establishing a key mapping table
Taking the TPM as a trusted center key generation center KGC, marking the identity of a single component on a trust chain as IDi, and marking an ordered node sequence of a trusted path from a trusted root to a module currently being verified and signed as IDT ═ I (ID)1,ID2,...IDn) Before loading each component, the verifier checks whether the boot sequence is expected, distributes a private key and a public key in the signature verification process according to the ID information, and uses QiRepresentative IDiThe components corresponding to verifying signaturesPublic key, using diRepresentative IDiComponent-specific user private key, using mapping table (ID)i,Qi,di) The form is stored in the TPM;
3) generating signature information
Procedure for generating signature information: in the process of downloading the firmware, carrying out hash operation on the firmware, searching a key mapping table, signing the hash result by using a user signature private key according to the SM9 signature algorithm flow, generating signature information of each entity, and finally carrying out combined encapsulation with the original entity information;
4) metric verification
Information of the verified entity and the entity to be verified, and the process of metric verification:
firstly, the verified entity sends the data of the entity to be verified to the TPM through a functional program, wherein the data comprises information such as the ID and the firmware code of the current entity, the ID of the next entity and the like;
after the TPM obtains the ID information, a key mapping table is searched to obtain a corresponding public key, meanwhile, hash operation is carried out on the data sent in the first step, and the hashed data and the corresponding public key for verifying the signature are sent to a verified entity;
reading the signature information of the entity to be verified by the verified entity for verification, and verifying the signature information by using the public key of the entity to be verified;
fourthly, the TPM is informed when the verification is passed, and the TPM stores the user key mapping table after receiving the information; and if the verification fails, deleting the current user key information and carrying out measurement again.
The invention has the beneficial effects that:
(1) techniques for protecting an entity's expected metric value using digital signatures
The Hash of the original entity information is signed by using a digital signature technology, so that the integrity and the authenticity of the entity information are effectively protected;
(2) the operations of signing and verifying the signature in the trust chain are completed without CA authentication
Under the condition that a CA certificate system is not introduced, the TPM is directly used as a trusted root, the SM9 cryptographic algorithm is introduced, and the TPM is used as a key generation center, so that the processes of digital signature and signature verification are realized, the safety and the reliability of the whole process are ensured, and the efficiency is improved.
Drawings
FIG. 1 is a trust chain model;
FIG. 2 is a signature process;
FIG. 3 is a flow chart of a next stage of the previous stage measurement;
fig. 4 is a verification process.
Detailed Description
The technical solutions of the present invention are further described in detail below with reference to the accompanying drawings, but the scope of the present invention is not limited to the following.
A novel trust chain design method based on SM9 cryptographic algorithm comprises the following design processes:
1) initialization
Factory initialization setting of the TPM chip, setting public parameters of SM9 key generation, signature algorithm and signature verification algorithm according to the algorithm flow of SM 9;
2) establishing a key mapping table
Taking TPM as a trusted center key generation center KGC, and marking the identity of a single component on a trust chain as IDiThe ordered node sequence from the trusted root to the module currently being verified for signature is denoted as IDT (ID)1,ID2,...IDn) Before loading each component, the verifier checks whether the boot sequence is expected, distributes a private key and a public key in the signature verification process according to the ID information, and uses QiRepresentative IDiPublic key of verification signature corresponding to component, using diRepresentative IDiComponent-specific user private key, using mapping table (ID)i,Qi,di) The form is stored in the TPM;
3) generating signature information
As shown in fig. 2, in the firmware downloading process, hash operation is performed on the firmware, a key mapping table is searched, a user signature private key is used to sign the hash result according to the SM9 signature algorithm flow, signature information of each entity is generated, and finally, the signature information and the original entity information are combined and encapsulated;
4) metric verification
The information of the verified entity and the entity to be verified, and the process of metric verification are shown in fig. 3;
firstly, the verified entity sends the data of the entity to be verified to the TPM through a functional program, wherein the data comprises information such as the ID and the firmware code of the current entity, the ID of the next entity and the like;
after the TPM obtains the ID information, a key mapping table is searched to obtain a corresponding public key, meanwhile, hash operation is carried out on the data sent in the first step, and the hashed data and the corresponding public key for verifying the signature are sent to a verified entity;
reading the signature information of the entity to be verified by the verified entity for verification, and verifying the signature information by using the public key of the entity to be verified, wherein the specific verification flow is shown in FIG. 4;
fourthly, the TPM is informed when the verification is passed, and the TPM stores the user key mapping table after receiving the information; and if the verification fails, deleting the current user key information and carrying out measurement again.
The invention introduces a mechanism based on identity identification signature and verification signature, and redesigns the trust chain establishment process. The TPM is used as a trust root and an identity identification key to generate a trust center, the SM9 digital signature verification mechanism and the data integrity verification mechanism are used for verifying the integrity and the authenticity of the starting entity, a safe and trusted trust chain is established, meanwhile, the method is also suitable for safely updating the entities in the trust chain, and the safety problems existing in the trust chain establishment and entity updating processes are solved.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, it should be noted that any modifications, equivalents and improvements made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (1)

1. A trust chain design method based on SM9 cryptographic algorithm is characterized in that the design flow is as follows:
1) initialization
Factory initialization setting of the TPM chip, setting public parameters of SM9 key generation, signature algorithm and signature verification algorithm according to the algorithm flow of SM 9;
2) establishing a key mapping table
Taking TPM as a trusted center key generation center KGC, and marking the identity of a single component on a trust chain as IDiThe ordered node sequence from the trusted root to the module currently being verified for signature is denoted as IDT (ID)1,ID2,...IDn) Before loading each component, the verifier checks whether the boot sequence is expected, distributes a private key and a public key in the signature verification process according to the ID information, and uses QiRepresentative IDiPublic key of verification signature corresponding to component, using diRepresentative IDiComponent-specific user private key, using mapping table (ID)i,Qi,di) The form is stored in the TPM;
3) generating signature information
Procedure for generating signature information: in the process of downloading the firmware, carrying out hash operation on the firmware, searching a key mapping table, signing the hash result by using a user signature private key according to the SM9 signature algorithm flow, generating signature information of each entity, and finally carrying out combined encapsulation with the original entity information;
4) metric verification
Information of the verified entity and the entity to be verified, and the process of metric verification:
firstly, the verified entity sends the data of the entity to be verified to the TPM through a functional program, wherein the data comprises the ID and the firmware code of the current entity and the ID information of the next entity;
after the TPM obtains the ID information, a key mapping table is searched to obtain a corresponding public key, hash operation is carried out on the entity data to be verified sent in the step I, and the hashed data and the corresponding public key of the verification signature are sent to the verified entity;
reading the signature information of the entity to be verified by the verified entity for verification, and verifying the signature information by using the public key of the entity to be verified;
fourthly, the TPM is informed when the verification is passed, and the TPM stores the user key mapping table after receiving the information; and if the verification fails, deleting the current user key information and carrying out measurement again.
CN201811035759.8A 2018-09-06 2018-09-06 Trust chain design method based on SM9 cryptographic algorithm Active CN109245899B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811035759.8A CN109245899B (en) 2018-09-06 2018-09-06 Trust chain design method based on SM9 cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811035759.8A CN109245899B (en) 2018-09-06 2018-09-06 Trust chain design method based on SM9 cryptographic algorithm

Publications (2)

Publication Number Publication Date
CN109245899A CN109245899A (en) 2019-01-18
CN109245899B true CN109245899B (en) 2021-03-16

Family

ID=65060977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811035759.8A Active CN109245899B (en) 2018-09-06 2018-09-06 Trust chain design method based on SM9 cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN109245899B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109871694B (en) * 2019-03-14 2019-11-08 沈昌祥 A kind of staticametric method based on dual Architecture credible calculating platform
CN111143887B (en) * 2019-12-26 2022-05-24 海光信息技术股份有限公司 Safety control method, processor, integrated device and computer equipment
CN111241548B (en) * 2020-01-07 2022-09-09 飞腾信息技术有限公司 Computer starting method
CN113779652A (en) * 2020-06-09 2021-12-10 华为技术有限公司 Data integrity protection method and device
CN112054895A (en) * 2020-08-10 2020-12-08 国电南瑞科技股份有限公司 Trusted root construction method and application
CN114722413B (en) * 2022-04-22 2024-06-25 苏州浪潮智能科技有限公司 Method, device, server and medium for establishing security trust chain

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101122936A (en) * 2007-09-21 2008-02-13 武汉大学 Embed type platform guiding of credible mechanism
CN101145906A (en) * 2006-09-13 2008-03-19 北京邦天科技有限公司 Method and system for authenticating legality of receiving terminal in unidirectional network
CN101257386A (en) * 2008-03-11 2008-09-03 南京邮电大学 Dynamic accesses control method based on trust model
CN101369889A (en) * 2007-08-13 2009-02-18 深圳兆日技术有限公司 System and method for electronic endorsement of document
CN105930733A (en) * 2016-04-18 2016-09-07 浪潮集团有限公司 Trust chain construction method and apparatus

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9721101B2 (en) * 2013-06-24 2017-08-01 Red Hat, Inc. System wide root of trust chaining via signed applications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145906A (en) * 2006-09-13 2008-03-19 北京邦天科技有限公司 Method and system for authenticating legality of receiving terminal in unidirectional network
CN101369889A (en) * 2007-08-13 2009-02-18 深圳兆日技术有限公司 System and method for electronic endorsement of document
CN101122936A (en) * 2007-09-21 2008-02-13 武汉大学 Embed type platform guiding of credible mechanism
CN101257386A (en) * 2008-03-11 2008-09-03 南京邮电大学 Dynamic accesses control method based on trust model
CN105930733A (en) * 2016-04-18 2016-09-07 浪潮集团有限公司 Trust chain construction method and apparatus

Also Published As

Publication number Publication date
CN109245899A (en) 2019-01-18

Similar Documents

Publication Publication Date Title
CN109245899B (en) Trust chain design method based on SM9 cryptographic algorithm
CN109325331B (en) Big data acquisition transaction system based on block chain and trusted computing platform
US11356280B2 (en) Personal device security using cryptocurrency wallets
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
CA2838675C (en) Implicitly certified digital signatures
CA2838322C (en) Secure implicit certificate chaining
CN112737779B (en) Cryptographic machine service method, device, cryptographic machine and storage medium
US10880100B2 (en) Apparatus and method for certificate enrollment
CN109495268B (en) Two-dimensional code authentication method and device and computer readable storage medium
TWI776404B (en) Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium
CN111340485A (en) Configuration method of digital certificate for alliance block chain, terminal and root certificate server
KR20120091618A (en) Digital signing system and method using chained hash
CN101789939B (en) Effective realization method for credible OpenSSH
CN111241492A (en) Product multi-tenant secure credit granting method, system and electronic equipment
US8954728B1 (en) Generation of exfiltration-resilient cryptographic keys
TWI773161B (en) Digital signature private key verification method
CN101834852B (en) Realization method of credible OpenSSH for protecting platform information
CN111859314A (en) SM2 encryption method, system, terminal and storage medium based on encryption software
CN113326527A (en) Credible digital signature system and method based on block chain
CN111949996A (en) Generation method, encryption method, system, device and medium of security private key
Zheng et al. Trusted user authentication scheme combining password with fingerprint for mobile devices
CN118233218A (en) Remote authentication system and method based on distributed trusted execution environment application
CN117499054A (en) Certificate updating method, device, equipment and storage medium based on zero trust
CN118296660A (en) Trusted terminal implementation method for sensor data acquisition
WO2023126491A1 (en) Method and system for generating digital signatures using universal composition

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant