CN109981255A - The update method and system of pool of keys - Google Patents

The update method and system of pool of keys Download PDF

Info

Publication number
CN109981255A
CN109981255A CN201910261653.8A CN201910261653A CN109981255A CN 109981255 A CN109981255 A CN 109981255A CN 201910261653 A CN201910261653 A CN 201910261653A CN 109981255 A CN109981255 A CN 109981255A
Authority
CN
China
Prior art keywords
public key
client
server
key
update
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910261653.8A
Other languages
Chinese (zh)
Other versions
CN109981255B (en
Inventor
富尧
钟一民
汪仲祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201910261653.8A priority Critical patent/CN109981255B/en
Publication of CN109981255A publication Critical patent/CN109981255A/en
Application granted granted Critical
Publication of CN109981255B publication Critical patent/CN109981255B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to the update method of pool of keys and systems, including client and server, client and server is provided with the key card containing pool of keys, first encryption message and the second random number are sent to server by client, the second random nnrber decryption of server by utilizing first encrypts message, wherein the first encryption message is the data file and digital signature using server public key encryption, server public key is that the second random number generated using key card is extracted in conjunction with pool of keys, data file includes updating required parameter and the first random number, first random number is used to extract client public key for server;Digital signature is to be encrypted using client private key to the data file after operation, parsing data file initiates pool of keys update after first random number described in server by utilizing passes through digital signature authentication, whole process uses the public and private key in key card storage client and server, key card is independent hardware isolated equipment, substantially reduces and steals key possibility by Malware.

Description

The update method and system of pool of keys
Technical field
The present invention relates to secure communications, the update method and system of especially a kind of pool of keys.
Background technique
The extensive use of technology Internet allows the people not known each other mutually far away from each corner in the world quick Exchange information, shared information resource.During exchange, people are not always that the information for wishing that oneself is issued is obtained by owner It knows, is in various considerations, the people for issuing information only wants to issued information and learned by people related with this.People use thus The information that password issues oneself encrypts, and only the talent equipped with same password can solve confidential information.In addition, by mutual It networks global link in the epoch of a so extensive network world, for the mesh of Global EC and electronic trade , people need to carry out information encryption using unified password.Therefore the Data Encryption Standard DES announced in 1975. As the DES algorithm of classical cryptosystem, communicating pair must allocate identical key in advance and keep properly when use, not have When having special cipher key authority, how mutual unacquainted communicating pair is previously obtained required key, how to identify other side Identity, be an extremely important problem.This problem can sum up in the point that other side how to be authorized to become oneself this communication Sole legal communication parter makes it have legal right and ability and decrypts the ciphertext oneself sent out.
Key card is combined with cryptological technique, hardware security isolation technology, quantum physics technology and (it is random to carry quantum In the case where number generator) authentication and encryption and decryption product.The embedded chip and operating system of key card can provide close The functions such as the secure storage of key and cryptographic algorithm.Since it is with independent data-handling capacity and good safety, key Card becomes the safety barrier of private key and pool of keys.Each key card can have the protection of hardware PIN code, and PIN code and hardware are constituted User uses two necessary factors of key card, i.e., so-called " double factor authentication ", and only acquirement saves correlation to user simultaneously The key card and user's PIN code of authentication information, just can be with login system.Even if the PIN code of user is leaked, as long as user holds Key card be not stolen, the identity of legitimate user would not be counterfeit;If the key card of user is lost, the person of picking up is not due to Know user's PIN code, also cannot counterfeit the identity of legitimate user.In short, key card makes the top-secret information such as key not in plain text Form appears in the disk and memory of host, so as to which the safety of top-secret information is effectively ensured.Problem of the existing technology:
After 1. client unsymmetrical key pond is issued, if certain client needs to update its public key, without suitable method To update client unsymmetrical key pond.
Summary of the invention
Based on this, it is necessary in view of the above-mentioned problems, providing the update method and system of a kind of pool of keys.
A kind of update method of pool of keys is implemented in client, and the client is furnished with key card, the pool of keys storage In the key card, the update method includes:
Data file is generated, the data file includes updating required parameter and the first random number, first random number For extracting client public key for server;
Digital signature is obtained to the data file encryption after operation using client private key;
The data file is encrypted using server public key and the digital signature obtains the first encryption message, the clothes Business device public key is that the second random number generated using the key card is extracted in conjunction with the pool of keys;
The first encryption message and second random number are sent to server, it is close for being initiated after server authentication Key Chi Gengxin.
In the present embodiment, a server corresponds to multiple client, and server and client have key card, Suo Youke Family end key card is issued by server, and public key and private key are stored in key card.Possess client in server key card Hold unsymmetrical key pond (public key pond) and server unsymmetrical key pond (private key pond) two kinds of pool of keys;It is gathered around in client key card There are client unsymmetrical key pond (public key pond), server unsymmetrical key pond (public key pond) and client private key;Wherein client The public key of storage all clients in unsymmetrical key pond (public key pond) is held, server unsymmetrical key pond (private key pond) storage It is the private key of server, what server unsymmetrical key pond (public key pond) stored is the public key of server.Client is asymmetric close Key pond (public key pond) possesses the public key of each client, and the storage location of each public key pk can be true with public key pointer random number r It is fixed;Each pk is stored with a pk simultaneously and generates time Tpk, which is the time that server gets the pk, i.e. Tpk is unified It is determined by server.Public key pointer random number r is used for the ID as client simultaneously.
Public and private key in key card to the process for updating pool of keys in client is signed and is encrypted, and guarantees message Confidentiality and reliability.For pool of keys always situated in key card, key card is independent hardware isolated equipment, by Malware or Malicious operation is stolen key possibility and is substantially reduced.
In one of the embodiments, further include: receive the update file of the encryption from server, which is Server to being generated after the cryptographic message certificates, update digital signature in file with update message, described second with Machine number and update message, the update message include data file and update result;The digital signature of the update message is tested Parsing update message is updated into pool of keys after card passes through.
The digital signature authentication method of update message includes: in one of the embodiments,
The update file of the encryption is decrypted using client private key;
Server public key is extracted using the second random number combination key card, the server public key is enabled to decrypt the update The digital signature of message obtains update message abstract;
The digest value obtained after corresponding operation is carried out compared with update message abstract to update message in the update file, Realize the digital signature identification of update message.
In one of the embodiments, when the update required parameter includes client public key, client public key generates Between and when the new public key of client, parsing update message method includes: that will update the client public key in required parameter, described Client public key generates the time compared with client public key, client public key the generation time of storage in key card, determines equal Afterwards, client public key pond is updated.
In one of the embodiments, when it is described update required parameter include communication customer end public key pointer random number, When communication customer end public key generates the time, parsing update message method includes:
New public key and new public key in result will be updated and generate the communication customer end public affairs recorded in time replacement key card Key and public key renewal time.
A kind of update method of pool of keys is implemented in server, and the server is furnished with key card, the pool of keys storage In the key card, the update method includes:
Receive the first encryption message and the second random number, in which: the first encryption message is to utilize server public key Data file encryption and digital signature obtain;
Privacy key is extracted in conjunction with pool of keys in key card using second random number, utilizes the privacy key It decrypts the first encryption message and obtains the data file and digital signature, in which: the data file includes updating request Parameter and the first random number, first random number are used to extract client public key for server;The digital signature is to utilize Client private key encrypts the data file after operation and obtains;
Data file is parsed after passing through using first random number to digital signature authentication initiates pool of keys update.
In one of the embodiments, further include: generate and update file, the update file includes update message, second Random number, the digital signature of update message, the update message include data file and update result;
Using privacy key to the digital signature for obtaining update message to the update message encryption after operation, the service Device private key is that the second random number generated using the key card is extracted in conjunction with the pool of keys;
The update file encrypted is obtained to file encryption is updated using the client public key of client;
The update file of first random number and the encryption is sent to client, is carried out after client validation Pool of keys updates.
In one of the embodiments, when the update required parameter includes client public key, client public key generates Between and the new public key of client, parsing data file step include:
The update that the client public key stored in the server key card, client public key generate time and acquisition is asked Ask the client public key in parameter, the client public key generate the time compare, determine it is equal after, server initiate key Pond updates.
In one of the embodiments, when it is described update required parameter include communication customer end public key pointer random number, Communication customer end public key generates the time, and parsing data file step includes:
Communication customer end public key in the update required parameter of acquisition is generated to the institute recorded in time and server key card It states when communication customer end public key generates and compares, the public key for client that no replacement is required if equal.
A kind of more new system of pool of keys, including client and server, the client and server are provided with key Card, the pool of keys are stored in the key card, and the first encryption message and the second random number are sent to service by client Device, the first encryption message described in the second random nnrber decryption described in server by utilizing, wherein the first encryption message is to utilize server The data file and digital signature of public key encryption, the server public key be using the key card generate the second random number with The pool of keys, which combines, to be extracted, and the data file includes updating required parameter and the first random number, and first random number is used In for server extraction client public key;The digital signature is to be added using client private key to the data file after operation Close, parsing data file initiates pool of keys more after the first random number described in the server by utilizing passes through digital signature authentication Newly.
The update method and system of a kind of above-mentioned pool of keys, including client and server, the client and server It is provided with key card, the pool of keys is stored in the key card, and client encrypts message and the second random number for first It is sent to server, the first encryption message described in the second random nnrber decryption described in server by utilizing, wherein the first encryption message is The data file and digital signature encrypted using server public key, the server public key are the generated using the key card Two random numbers are extracted in conjunction with the pool of keys, and the data file includes updating required parameter and the first random number, and described the One random number is used to extract client public key for server;The digital signature is using client private key to described in after operation Data file encrypts, and parsing data file is initiated after the first random number described in the server by utilizing passes through digital signature authentication Pool of keys updates, and the public and private key of different clients is corresponded in the public private key and server using key card storage client, according to Random number could select public key and private key in key card to be calculated, and public key and private key will not go out in entire calculating process Key card, key card are independent hardware isolated equipment, steal key possibility by Malware or malicious operation and substantially reduce.
Detailed description of the invention
Fig. 1 is server key card internal structure chart used in the present invention;
Fig. 2 is client key card internal structure chart used in the present invention.
Specific embodiment
In the embodiment of the present invention, a server corresponds to multiple client, and server and client have key card, owns Client key card is issued by server, and public key and private key are stored in key card.
Possess client unsymmetrical key pond (public key pond) and server unsymmetrical key pond (private key in server key card Pond) two kinds of pool of keys;
Possess client unsymmetrical key pond (public key pond), server unsymmetrical key pond (public key in client key card Pond) and client private key;
The public key of all clients, server unsymmetrical key are wherein stored in client unsymmetrical key pond (public key pond) What pond (private key pond) stored is the private key of server, and what server unsymmetrical key pond (public key pond) stored is the public affairs of server Key.
Client unsymmetrical key pond (public key pond) possesses the public key of each client, and the storage location of each public key pk can To be determined with public key pointer random number r;Each pk is stored with a pk simultaneously and generates time Tpk, which is that server is got The unification of the time of the pk, i.e. Tpk is determined by server.Public key pointer random number r is used for the ID as client simultaneously.
In the examples below, client is customer end A and customer end B, and customer end A and customer end B are respectively since the side of issuing Obtain key card, server S.
Embodiment 1
Step 1.1: customer end A proposes to need to update the client public key pkA of customer end A to S
Customer end A is by i.e. the first random number of public key pointer random number rA of oneself, for extracting client public key pkA, visitor Family end public key generates the time TpkA and new public key pkAnew of client and combines to obtain rA | | pkA | | TpkA | | pkAnew, life Entitled data file mA.Wherein, updating required parameter includes client public key pkA, client public key generation time TpkA and visitor The new public key pkAnew in family end, customer end A also create the new private key of client while generating client new public key pkAnew skAnew。
Customer end A signs to data file mA with the client private key skA of oneself, i.e., is carried out with hash algorithm to mA Abstract hmA is calculated, then encryption is carried out to abstract with client private key skA and can be obtained by digital signature { hmA } skA, orders Entitled digital signature sA.With i.e. the second random number of the corresponding public key pointer random number rSA of server public key pkSA from key card Server public key pkSA is taken out in counterpart keys pond, then is obtained with server public key pkSA cryptographic digital signature sA and data file mA To first encryption message { mA | | sA } pkSA, then message { mA | | sA } pkSA is encrypted by first and the second random number rSA group closes Come obtained rSA | | { mA | | sA } pkSA is sent to server S.
Step 1.2: the request of server S processing customer end A
Server S receives the second random number that customer end A sends over and the first encryption message rSA | | and mA | | sA } pkSA Afterwards, the clothes of corresponding A are obtained from the server unsymmetrical key pond (private key pond) of server key card according to the second random number rSA Be engaged in device private key skSA, goes decryption to state the first encryption message { mA | | sA } pkSA with privacy key skSA and obtains data file and number Word signature mA | | sA, to obtain digital signature sA and data file rA | | pkA | | TpkA | | pkAnew.
The visitor of A is taken out from the client unsymmetrical key pond (public key pond) of server key card according to the first random number rA Family end public key pkA verifies digital signature sA with client public key pkA.MA is carried out with hash algorithm identical with customer end A New abstract hmA ' is calculated, then digital signature sA is decrypted with client public key pkA to obtain old abstract hmA, it will New abstract and old abstract compare, and the identity of customer end A if the same can be confirmed, not so server S will be refused More new key.
Record current server time TpkAnew.Server parses data file: verifying is parsed from data file mA To client public key pkA and client public key generate time TpkA whether and the client taken out from server key card it is public Key pkA is equal with client public key generation time TpkA, and it is client that the client public key pkA in key card is replaced if equal New public key pkAnew is held, replacing the client public key in key card and generating time TpkA is TpkAnew.
Step 1.3: server S is sent to customer end A updates result in response
Update message includes data file and update as a result, if be updated successfully, and enables update message mAS=mA | | TpkAnew enables update message mAS=mA if updating failure | | ResultA, wherein ResultA is the original for updating failure Cause.
Server S signs to update message mAS with privacy key skSA, the mistake signed with customer end A in step 1 Journey is similar, and signed { hmAS } skSA, is named as the digital signature sAS of update message, and wherein hmAS is update message abstract, The public key pointer random number of the privacy key of signature is rSA i.e. the second random number.The client of server S client is public Key pkA to update file encryption obtain the second encryption message mAS | | rSA | | sAS } pkA, the updates file include update disappear Cease mAS, the second random number rSA, update message digital signature sAS, then by the first random number and second encryption message rA | | MAS | | rSA | | sAS } pkA is sent to A.
Step 1.4: customer end A receives the response of server S
Customer end A receives the message rA that server S sends over | | and mAS | | rSA | | sAS } after pkA, use client private key SkA decrypt encryption therein update file mAS | | rSA | | sAS } pkA obtain update file mAS | | rSA | | sAS.
Server public key pkSA is taken out from key card according to the second random number rSA, more with server public key pkSA verifying The digital signature sAS of new information, verification process is similar to server S verifying signature process in step 1.2, i.e., to the update text Part mAS | | rSA | | update message mAS carries out the digest value obtained after corresponding operation compared with update message abstract hmAS in sAS, More new key fails if authentication failed, and process terminates, and following step is carried out if being proved to be successful.
Update message mAS is parsed, failure is updated if that obtain is ResultA, can check failure cause, process knot Beam;If that obtain is TpkAnew, pkA, TpkA, pkAnew, TpkAnew are obtained.
Verifying the client public key pkA and client public key generation time TpkA parsed from update message mAS is Client public key pkA that is no and taking out from key card is equal with client public key generation time TpkA, replaces if equal Client public key pkA in key card is the new public key pkAnew of client, and the client public key replaced in key card generates the time TpkA is TpkAnew.Customer end A while also new and old client private key skA are the new private key skAnew of client.
Embodiment 2
When customer end B needs the public key using communication customer end A, customer end B asks whether step 2.1. to server S Need to update the communication customer end public key pkA of communication customer end A
Customer end B is random by i.e. the first random number of public key pointer random number rB of oneself, the public key pointer of communication customer end Count rA, the communication customer end public key of communication customer end public key pkA generates time TpkA and combines to obtain rB | | rA | | TpkA, life Entitled data file mB.It wherein means comprising communication customer end public key generation time TpkA to server S and reports customer end B The newest time of the public key of local communication customer end A updates request to inquire whether communication customer end public key needs to update Parameter includes the public key pointer random number rA of communication customer end, communication customer end public key generation time TpkA.
Customer end B signs to data file mB with the client private key skB of oneself, i.e., with hash algorithm to data text Part mB carries out that abstract hmB is calculated, then carries out encryption to abstract with client private key skB and can be obtained by signature { hmB } SkB is named as digital signature sB.With i.e. the second random number of the corresponding public key pointer random number rSB of server public key pkSB from close Server public key pkSB is taken out in key card, then obtains first with server public key pkSB cryptographic digital signature sB and data file mB It encrypts message { mB | | sB } pkSB, then encrypts message { mB | | sB } pkSB for first and the second random number rSB combines to obtain RSB | | { mB | | sB } pkSB is sent to server S.
The request of step 2.2. server S processing customer end B
Server S receives the message rSB that customer end B sends over | | it is random according to public key pointer after { mB | | sB } pkSB Number rSB i.e. the second random number obtains corresponding server B from the server unsymmetrical key pond (private key pond) of server key card Privacy key skSB, go decryption the first encryption message { mB | | sB } pkSB to obtain mB with privacy key skSB | | sB, from And obtain digital signature sB and data file rB | | rA | | TpkA.
Client is taken out from the client unsymmetrical key pond (public key pond) of server key card according to the first random number rB The client public key pkB for holding B verifies digital signature sB with client public key pkB.I.e. with hash algorithm identical with customer end B Data file mB is carried out new abstract hmB ' is calculated, then digital signature sB is decrypted with client public key pkB To old abstract hmB, new abstract and old abstract are compared, the identity of customer end B if the same can be confirmed, no Refusal is replied the message by right server S.
Server S, which updates communication customer end public key, to be verified, according to the obtained communication customer end of parsing data file mB Public key pointer random number rA takes out communication customer end public key from server key card and generates time TpkA ', then by its with from solution The communication customer end public key that analysis data file mB is obtained generates time TpkA and is compared, client that no replacement is required if equal The public key of A needs replacing the public key of customer end A if unequal.
Step 2.3. server S is sent to customer end B updates result in response
If necessary to update the public key of customer end A, update message mBS=mB is enabled | | pkAnew | | TpkAnew, if be not required to The public key of customer end A is updated, then enables update message mBS=mB | | ResultB, wherein ResultB includes not need to update visitor The content of the public key of family end A.
Server S signs to update message mBS with privacy key skSB, signs with server B in step 2.1 Process is similar, and signed { hmBS } skSB, is named as the digital signature sBS of update message, wherein hmBS plucks for update message It wants, the public key pointer random number of the private key of signature is rSB i.e. the second random number.Server S is with client public key pkB to update File encrypted to obtain the second encryption message mBS | | rSB | | sBS } pkB, the update file includes update message mBS, The digital signature sBS of two random number rSB, update message, then the first random number and second are encrypted into message rB | | mBS | | rSB | | SBS } pkB is sent to customer end B.
Step 2.4. customer end B receives the response of server S
Customer end B receives the message rB that server S sends over | | and mBS | | rSB | | sBS } after pkB, with oneself end private key SkB decryption it is therein second encryption message mBS | | rSB | | sBS } pkB obtain update file mBS | | rSB | | sBS.
Server public key pkSB is taken out from key card according to two random number rSB, is verified and is updated with server public key pkSB The digital signature sBS of message, verification process are similar to S verifying signature process in step 2.2.The more new key if authentication failed Failure, process terminate, and following step is carried out if being proved to be successful.
Update message mBS is parsed, is not necessarily to update if that obtain is ResultB, process terminates;If what is obtained is PkAnew and TpkAnew will then update new public key pkAnew and new public key in result and generate in time TpkAnew replacement key card The communication customer end public key pkA and public key renewal time TpkA recorded, i.e., the pkA in replacement key card is pkAnew, more The TpkA changed in key card is TpkAnew.
Above-described embodiment can act in pool of keys more new system, which includes client and server, The client and server is provided with key card, and the pool of keys is stored in the key card, which is characterized in that client First encryption message and the second random number are sent to server, first described in the second random nnrber decryption described in server by utilizing Message is encrypted, wherein the first encryption message is to utilize the data file and digital signature of server public key encryption, the clothes Business device public key is that the second random number generated using the key card is extracted in conjunction with the pool of keys, and the data file includes Required parameter and the first random number are updated, first random number is used to extract client public key for server;The number label Name is to be encrypted using client private key to the data file after operation, the first random number logarithm described in the server by utilizing Parsing data file initiates pool of keys update after word signature verification passes through.
In the present invention, the public and private of different clients is corresponded in the public private key and server using key card storage client Key could select public key and private key in key card to be calculated, and entirely calculate according to unsymmetrical key pointer random number Public key and private key will not go out key card in the process.Using the public and private key in key card come to the process for updating pool of keys in client It is signed and is encrypted, guarantee the confidentiality and reliability of message.For pool of keys always situated in key card, key card is independent Hardware isolated equipment is stolen key possibility by Malware or malicious operation and is substantially reduced.
In the present invention, by taking unsymmetrical key pond as an example, it is illustrated how the method for security update unsymmetrical key pond data. It is contemplated that the present invention may be use with being updated to other data in key card, such as pool of symmetric keys, user sharing data etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, all should be considered as described in this specification.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art It says, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to protection of the invention Range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.

Claims (10)

1. a kind of update method of pool of keys is implemented in client, the client is furnished with key card, and the pool of keys is stored in In the key card, which is characterized in that the update method includes:
Data file is generated, the data file includes that update required parameter and the first random number, first random number are used for Client public key is extracted for server;
Digital signature is obtained to the data file encryption after operation using client private key;
The data file is encrypted using server public key and the digital signature obtains the first encryption message, the server Public key is that the second random number generated using the key card is extracted in conjunction with the pool of keys;
The first encryption message and second random number are sent to server, for initiating pool of keys after server authentication It updates.
2. the update method of pool of keys according to claim 1, which is characterized in that further include: it receives from server The update file of encryption, the update file are server to generating after the cryptographic message certificates, are updated in file with more The digital signature of new information, second random number and update message, the update message include data file and update result; Update message is parsed after passing through the digital signature authentication of the update message to update into pool of keys.
3. the update method of pool of keys according to claim 2, which is characterized in that the digital signature authentication side of update message Method includes:
The update file of the encryption is decrypted using client private key;
Server public key is extracted using the second random number combination key card, the server public key is enabled to decrypt the update message Digital signature obtain update message abstract;
The digest value obtained after corresponding operation is carried out compared with update message abstract to update message in the update file, is realized The digital signature identification of update message.
4. the update method of pool of keys according to claim 3, which is characterized in that when the update required parameter includes visitor When family end public key, client public key generate time and client new public key, parsing update message method includes:
The client public key updated in required parameter, the client public key are generated into the visitor stored in time and key card Family end public key, client public key generate the time compare, determine it is equal after, client public key pond is updated.
5. the update method of pool of keys according to claim 2, which is characterized in that when the update required parameter includes logical When believing that the public key pointer random number of client, communication customer end public key generate the time, parsing update message method includes:
To update new public key and new public key in result generate the communication customer end public key recorded in time replacement key card and Public key renewal time.
6. a kind of update method of pool of keys is implemented in server, the server is furnished with key card, and the pool of keys is stored in In the key card, which is characterized in that the update method includes:
Receive the first encryption message and the second random number, in which: the first encryption message is encrypted using server public key Data file and digital signature obtain;
Privacy key is extracted in conjunction with pool of keys in key card using second random number, is decrypted using the privacy key The first encryption message obtains the data file and digital signature, in which: the data file includes updating required parameter And first random number, first random number are used to extract client public key for server;The digital signature is to utilize client It holds private key to encrypt the data file after operation to obtain;
Data file is parsed after passing through using first random number to digital signature authentication initiates pool of keys update.
7. the update method of pool of keys according to claim 6, which is characterized in that further include:
It generates and updates file, the update file includes update message, the second random number, the digital signature of update message, described Update message includes data file and update result;
Using privacy key to the digital signature for obtaining update message to the update message encryption after operation, the server is private Key is that the second random number generated using the key card is extracted in conjunction with the pool of keys;
The update file encrypted is obtained to file encryption is updated using the client public key of client;
The update file of first random number and the encryption is sent to client, key is carried out after client validation Pond updates.
8. the update method of pool of keys according to claim 6, which is characterized in that when the update required parameter includes visitor Family end public key, client public key generate time and the new public key of client, and parsing data file step includes:
The update that the client public key stored in the server key card, client public key generate time and acquisition is requested to join The client public key in number, the client public key generate the time and compare, determine it is equal after, server initiates pool of keys more Newly.
9. the update method of pool of keys according to claim 6, which is characterized in that when the update required parameter includes logical Believe that the public key pointer random number of client, communication customer end public key generate the time, parsing data file step includes:
It is described logical by being recorded in communication customer end public key generation time in the update required parameter of acquisition and server key card Letter client public key compares when generating, the public key for client that no replacement is required if equal.
10. a kind of more new system of pool of keys, including client and server, the client and server are provided with key Card, the pool of keys are stored in the key card, which is characterized in that client encrypts message and the second random number for first It is sent to server, the first encryption message described in the second random nnrber decryption described in server by utilizing, wherein first encryption disappears Breath is using the data file and digital signature of server public key encryption, and the server public key is generated using the key card The second random number extracted in conjunction with the pool of keys, the data file includes updating required parameter and the first random number, institute The first random number is stated for extracting client public key for server;The digital signature using client private key to operation after The data file encrypts, and the first random number described in the server by utilizing parses data file after passing through to digital signature authentication Pool of keys is initiated to update.
CN201910261653.8A 2019-04-02 2019-04-02 Method and system for updating key pool Active CN109981255B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910261653.8A CN109981255B (en) 2019-04-02 2019-04-02 Method and system for updating key pool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910261653.8A CN109981255B (en) 2019-04-02 2019-04-02 Method and system for updating key pool

Publications (2)

Publication Number Publication Date
CN109981255A true CN109981255A (en) 2019-07-05
CN109981255B CN109981255B (en) 2022-06-14

Family

ID=67082455

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910261653.8A Active CN109981255B (en) 2019-04-02 2019-04-02 Method and system for updating key pool

Country Status (1)

Country Link
CN (1) CN109981255B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417547A (en) * 2019-07-19 2019-11-05 如般量子科技有限公司 The key updating method and system of anti-quantum calculation secret communication based on no cryptographic certificate
CN110519226A (en) * 2019-07-16 2019-11-29 如般量子科技有限公司 Quantum communications server-side secret communication method and system based on unsymmetrical key pond and implicit certificate
CN110519225A (en) * 2019-07-16 2019-11-29 如般量子科技有限公司 Anti- quantum calculation https traffic method and system based on unsymmetrical key pond and cryptographic certificate
CN110557248A (en) * 2019-07-19 2019-12-10 如般量子科技有限公司 Secret key updating method and system for resisting quantum computation signcryption based on certificateless cryptography
CN110557367A (en) * 2019-07-16 2019-12-10 如般量子科技有限公司 Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography
CN110620668A (en) * 2019-08-09 2019-12-27 如般量子科技有限公司 Block chain-based quantum computation resistant public key pool updating method and system
CN111510224A (en) * 2020-03-20 2020-08-07 军事科学院系统工程研究院网络信息研究所 Quantum communication method and system based on wavelength division multiplexing coding and key storage conversion
CN113469677A (en) * 2021-06-11 2021-10-01 深圳市雪球科技有限公司 Secure read-write method and device for DESFire card data

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107302541A (en) * 2017-07-31 2017-10-27 成都蓝码科技发展有限公司 A kind of data encryption and transmission method based on http protocol
CN107612899A (en) * 2017-09-08 2018-01-19 浙江神州量子网络科技有限公司 A kind of OpenVPN safety communicating methods and communication system based on quantum key
CN109151053A (en) * 2018-09-20 2019-01-04 如般量子科技有限公司 Anti- quantum calculation cloud storage method and system based on public asymmetric key pond
CN109302283A (en) * 2018-09-20 2019-02-01 如般量子科技有限公司 Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond
CN109347923A (en) * 2018-09-20 2019-02-15 如般量子科技有限公司 Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107302541A (en) * 2017-07-31 2017-10-27 成都蓝码科技发展有限公司 A kind of data encryption and transmission method based on http protocol
CN107612899A (en) * 2017-09-08 2018-01-19 浙江神州量子网络科技有限公司 A kind of OpenVPN safety communicating methods and communication system based on quantum key
CN109151053A (en) * 2018-09-20 2019-01-04 如般量子科技有限公司 Anti- quantum calculation cloud storage method and system based on public asymmetric key pond
CN109302283A (en) * 2018-09-20 2019-02-01 如般量子科技有限公司 Cloud storage method and system is acted on behalf of in anti-quantum calculation based on public asymmetric key pond
CN109347923A (en) * 2018-09-20 2019-02-15 如般量子科技有限公司 Anti- quantum calculation cloud storage method and system based on unsymmetrical key pond

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110519225B (en) * 2019-07-16 2021-08-31 如般量子科技有限公司 Anti-quantum computation HTTPS communication method and system based on asymmetric key pool and certificate cryptography
CN110519226A (en) * 2019-07-16 2019-11-29 如般量子科技有限公司 Quantum communications server-side secret communication method and system based on unsymmetrical key pond and implicit certificate
CN110519225A (en) * 2019-07-16 2019-11-29 如般量子科技有限公司 Anti- quantum calculation https traffic method and system based on unsymmetrical key pond and cryptographic certificate
CN110519226B (en) * 2019-07-16 2021-12-07 如般量子科技有限公司 Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate
CN110557367A (en) * 2019-07-16 2019-12-10 如般量子科技有限公司 Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography
CN110557248A (en) * 2019-07-19 2019-12-10 如般量子科技有限公司 Secret key updating method and system for resisting quantum computation signcryption based on certificateless cryptography
CN110417547A (en) * 2019-07-19 2019-11-05 如般量子科技有限公司 The key updating method and system of anti-quantum calculation secret communication based on no cryptographic certificate
CN110557248B (en) * 2019-07-19 2023-06-09 如般量子科技有限公司 Secret key updating method and system based on signcryption of certificateless cryptography
CN110417547B (en) * 2019-07-19 2023-06-09 如般量子科技有限公司 Secret key updating method and system for secret communication based on certificateless cryptography
CN110620668A (en) * 2019-08-09 2019-12-27 如般量子科技有限公司 Block chain-based quantum computation resistant public key pool updating method and system
CN110620668B (en) * 2019-08-09 2022-11-15 如般量子科技有限公司 Block chain based quantum computation resistant public key pool updating method and system
CN111510224A (en) * 2020-03-20 2020-08-07 军事科学院系统工程研究院网络信息研究所 Quantum communication method and system based on wavelength division multiplexing coding and key storage conversion
CN113469677A (en) * 2021-06-11 2021-10-01 深圳市雪球科技有限公司 Secure read-write method and device for DESFire card data
CN113469677B (en) * 2021-06-11 2024-04-19 深圳市雪球科技有限公司 DESFire card data safety read-write method and device

Also Published As

Publication number Publication date
CN109981255B (en) 2022-06-14

Similar Documents

Publication Publication Date Title
US20220191012A1 (en) Methods For Splitting and Recovering Key, Program Product, Storage Medium, and System
CN109981255A (en) The update method and system of pool of keys
CN110519046B (en) Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD
CN109361668A (en) A kind of data trusted transmission method
US20160337124A1 (en) Secure backup and recovery system for private sensitive data
CN111971929B (en) Secure distributed key management system
US11050745B2 (en) Information processing apparatus, authentication method, and recording medium for recording computer program
EP3692682A1 (en) Systems, devices, and methods for hybrid secret sharing
US10057060B2 (en) Password-based generation and management of secret cryptographic keys
JP2001326632A (en) Distribution group management system and method
CN107920052B (en) Encryption method and intelligent device
JP2009103774A (en) Secret sharing system
CN110505055B (en) External network access identity authentication method and system based on asymmetric key pool pair and key fob
CN112118245B (en) Key management method, system and equipment
CN111740995B (en) Authorization authentication method and related device
JP2010231404A (en) System, method, and program for managing secret information
CN114244508B (en) Data encryption method, device, equipment and storage medium
CN112565265A (en) Authentication method, authentication system and communication method between terminal devices of Internet of things
CN110557248A (en) Secret key updating method and system for resisting quantum computation signcryption based on certificateless cryptography
Chidambaram et al. Enhancing the security of customer data in cloud environments using a novel digital fingerprinting technique
CN110417547A (en) The key updating method and system of anti-quantum calculation secret communication based on no cryptographic certificate
CN110493177A (en) Based on unsymmetrical key pond to and sequence number quantum communications service station AKA cryptographic key negotiation method and system
CN110519222B (en) External network access identity authentication method and system based on disposable asymmetric key pair and key fob
CN110365472B (en) Quantum communication service station digital signature method and system based on asymmetric key pool pair
US11463251B2 (en) Method for secure management of secrets in a hierarchical multi-tenant environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant