CN109981576B - Key migration method and device - Google Patents

Key migration method and device Download PDF

Info

Publication number
CN109981576B
CN109981576B CN201910132911.2A CN201910132911A CN109981576B CN 109981576 B CN109981576 B CN 109981576B CN 201910132911 A CN201910132911 A CN 201910132911A CN 109981576 B CN109981576 B CN 109981576B
Authority
CN
China
Prior art keywords
key
client device
key component
component
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910132911.2A
Other languages
Chinese (zh)
Other versions
CN109981576A (en
Inventor
安瑞
谢翔
傅志敬
孙立林
谢红军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Juzix Technology Shenzhen Co ltd
Original Assignee
Juzix Technology Shenzhen Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Juzix Technology Shenzhen Co ltd filed Critical Juzix Technology Shenzhen Co ltd
Priority to CN201910132911.2A priority Critical patent/CN109981576B/en
Publication of CN109981576A publication Critical patent/CN109981576A/en
Application granted granted Critical
Publication of CN109981576B publication Critical patent/CN109981576B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3825Use of electronic signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • H04L63/064Hierarchical key distribution, e.g. by multi-tier trusted parties
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Accounting & Taxation (AREA)
  • Physics & Mathematics (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The embodiment of the application provides a key migration method and a key migration device, wherein the method calls a second key component and a first key component respectively stored at two sides of a second client device and a server through the second client device and the server according to a preset rule generated based on an MPC protocol, and performs function operation to generate a new key component, namely a fourth key component and a third key component to replace the original second key component and the original first key component; and then, the newly generated fourth key component is encrypted and then sent to the first client device, so that the key component is migrated between different client devices, the technical problems that the key migration is unsafe and easy to leak in the existing method are solved, and the technical effect of safely and efficiently migrating the key component stored in the second client device to the first client device is achieved.

Description

Key migration method and device
Technical Field
The present application relates to the field of internet technologies, and in particular, to a key migration method and apparatus.
Background
With the development and popularization of internet technology, more and more users are used to complete related transaction data processing by using mobile client devices (such as mobile phones or tablet computers of the users). For example, online shopping or paying an online bill using a mobile phone, etc.
To ensure that a user has control over the use of the funds data in his or her account, a client device used by the user or bound to the user's account will often maintain a key share. When the user instruction is responded, and transaction data processing is carried out, the user is required to provide the stored secret key component through the client equipment to generate a transaction signature corresponding to the user, and then the transaction signature can be used as a certificate to smoothly call fund data in an account of the user to complete specific transaction data processing.
If a user changes a client device used or bound by himself, the key component is often not available on the new client device. For example, the user a has previously performed transaction data processing using the mobile phone a to which the user a is bound, and the mobile phone a locally stores a key component for generating a transaction signature. When the user a changes to use the newly purchased mobile phone B, although the user can log in his or her own account on the mobile phone B, the key component stored in the mobile phone a is not initially stored in the mobile phone B. At this time, the user A cannot directly generate a transaction signature by using the mobile phone B to process transaction data. Therefore, the key component needs to be migrated from handset a to handset B first.
However, existing key migration methods are relatively simple, and most of them directly send the stored key components to a new client device (e.g., handset B) through a previously used client device (e.g., handset a). The key component is easily leaked or stolen by a third party in the process of sending and transmitting. That is, when the conventional key migration method is implemented, the technical problems that key migration is unsafe and easy to leak often exist.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a key migration method and device, and aims to solve the technical problems that key migration is unsafe and easy to leak.
The embodiment of the application provides a key migration method, which is applied to a system comprising a first client device, a second client device and a server, wherein the second client device stores a second key component, the server stores a first key component, and the method comprises the following steps:
the first client device initiates a key migration request;
the server and the second client device respond to the key migration request, call the first key component and the second key component which are respectively stored as input, and perform function operation according to a preset rule to obtain a third key component and a fourth key component; the server acquires and stores the third key component, and the second client device acquires and stores a fourth key component;
the second client device obtains a first public key generated by a first client device, wherein the first client device is used for generating a first public key and a first private key which are matched with each other;
the second client device generates first ciphertext data according to the first public key and the fourth key component, and sends the first ciphertext to the first client device;
and the first client equipment decrypts the first ciphertext data by using the first private key to obtain the fourth key component.
In one embodiment, the preset rule is generated in advance according to an MPC protocol.
In one embodiment, after the first client device decrypts the first ciphertext data by using the first private key to obtain the fourth key component, the method further includes:
the first client device sends acknowledgement information of a fourth key component to the second client device and the server;
the second client device responds to the acknowledgement information and destroys the stored second key component and the stored fourth key component; and the server responds to the acknowledgement information and destroys the stored first key component.
In one embodiment, after the first client device decrypts the first ciphertext data by using the first private key to obtain the fourth key component, the method further includes:
a user initiates a transaction data processing request through the first client device;
the first client device and the server respond to the transaction data processing request, and call and generate a transaction signature according to a fourth key component and a third key component which are respectively stored;
and the first client equipment processes transaction data according to the transaction signature.
In one embodiment, before the first client device initiates a key migration request, the method further comprises:
the first client device receives a key migration instruction;
and the first client equipment responds to the key migration instruction, verifies the identity information of the account logged in the first client equipment, and initiates the key migration request under the condition that the identity information of the account logged in the first client equipment is verified to be matched with the identity information of the account on the second client equipment.
The embodiment of the present application further provides a key migration method, where the method is applied to a second client device, where the second client device stores a second key component, and the method includes:
receiving and responding to the key migration request, calling the second key component and the first key component which are respectively stored by the server as input, and performing function operation according to a preset rule to obtain and store a fourth key component, wherein the server obtains and stores a third key component;
the method comprises the steps of obtaining a first public key generated by first client side equipment, wherein the first client side equipment is used for generating a first public key and a first private key which are matched with each other;
and generating first ciphertext data according to the first public key and the fourth key component, and sending the first ciphertext to the first client device, wherein the first client device is configured to decrypt the first ciphertext data by using the first private key to obtain the fourth key component.
In one embodiment, obtaining the first public key generated by the first client device comprises:
scanning to obtain a preset two-dimensional code generated by first client equipment;
and analyzing the preset two-dimensional code to obtain the first public key.
The embodiment of the present application further provides a key migration method, where the method is applied to a first client device, and the method includes:
initiating a key migration request and generating a first public key and a first private key;
receiving first ciphertext data sent by second client equipment, wherein the first ciphertext data is obtained by encrypting a fourth key component by the second client equipment by using the first public key, the fourth key component is obtained by responding to the key migration request by the second client equipment and the server, calling the second key component and the first key component which are respectively stored as input, and performing function operation according to a preset rule;
and decrypting the first ciphertext data by using the first private key to obtain the fourth key component.
An embodiment of the present application further provides a key migration apparatus, including:
the first processing module is used for receiving and responding to the key migration request, calling the second key component and the first key component which are respectively stored by the server as input, and performing function operation according to a preset rule to obtain and store a fourth key component, wherein the third key component is obtained and stored by the server;
the system comprises an acquisition module, a first public key generation module and a second public key generation module, wherein the acquisition module is used for acquiring a first public key generated by first client equipment, and the first client equipment is used for generating a first public key and a first private key which are matched with each other;
and the second processing module is configured to generate first ciphertext data according to the first public key and the fourth key component, and send the first ciphertext to the first client device, where the first client device is configured to decrypt the first ciphertext data by using the first private key to obtain the fourth key component.
The embodiment of the present application further provides a computer-readable storage medium, where computer instructions are stored, and when executed, the instructions implement receiving and responding to the key migration request, and calling, by a server, a second key component and a first key component that are respectively stored as inputs, and performing function operation according to a preset rule to obtain and store a fourth key component, where the server obtains and stores a third key component; the method comprises the steps of obtaining a first public key generated by first client side equipment, wherein the first client side equipment is used for generating a first public key and a first private key which are matched with each other; and generating first ciphertext data according to the first public key and the fourth key component, and sending the first ciphertext to the first client device, wherein the first client device is configured to decrypt the first ciphertext data by using the first private key to obtain the fourth key component.
In the embodiment of the present application, because the scheme introduces the preset rule generated based on the MPC protocol, the second client device and the server invoke the second key component and the first key component respectively stored at two sides of the second client device and the server according to the preset rule, and perform function operation to generate new key components, that is, the fourth key component and the third key component to replace the originally used second key component and first key component; and then, the newly generated fourth key component is encrypted and then sent to the first client device, so that the key component is migrated between different client devices, the technical problems that the key migration is unsafe and easy to leak in the existing method are solved, and the technical effect of safely and efficiently migrating the key component stored in the second client device to the first client device is achieved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
FIG. 1 is a process flow diagram of a key migration method provided in accordance with an embodiment of the present application;
FIG. 2 is a schematic diagram of a key migration method provided by an embodiment of the present application applied in an example scenario;
FIG. 3 is a process flow diagram of a key migration method provided in accordance with an embodiment of the present application;
FIG. 4 is a process flow diagram of a key migration method provided in accordance with an embodiment of the present application;
fig. 5 is a block diagram of a key migration apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device based on a key migration method provided in an embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In consideration of the fact that the existing key migration method is often relatively simple in design, the key is easily leaked or stolen in the migration transmission process, and even user loss is caused. Namely, the existing key migration method is often insecure and easy to leak in key migration.
For the root cause of the above technical problem, the present application considers that an MPC (i.e. secure multi-party computation) based processing approach can be introduced to improve the security of key migration. Specifically, the second client device and the server may invoke the second key component and the first key component respectively stored at two sides according to a preset rule generated based on the MPC protocol, and perform function operation together to generate a new key component, that is, a fourth key component and a third key component, to replace the originally used second key component and first key component; and then, the newly generated fourth key component is encrypted and then sent to the first client device, so that the key component is migrated between different client devices, the technical problems that the key migration is unsafe and easy to leak in the existing method are solved, and the technical effect of safely and efficiently migrating the key component stored in the second client device to the first client device is achieved.
Based on the thought, the embodiment of the application provides a key migration method. Please refer to fig. 1, which is a flowchart illustrating a key migration method according to an embodiment of the present application. The key migration method provided by the embodiment of the application can be particularly applied to a system comprising a first client device, a second client device and a server.
The second client device (which may be referred to as client2) may be specifically understood as a client device that stores a key component (e.g., a second key component) to be migrated. For example, the user may use the mobile phone or tablet computer previously or the user's account may be bound previously. Of course, it should be noted that the above-listed second client device is only an exemplary illustration. In a specific implementation, the second client device may also be other types of electronic devices, or software programs running in the electronic devices, and the like. The specification is not limited to the specific form and type of the second client device.
The first client device (which may be referred to as client1) may be specifically understood as a target device to which a key component to be migrated is to be migrated. For example, the mobile phone or tablet computer may be replaced and used by the user. Similarly, it should be noted that the first client device listed above is only an exemplary illustration. In a specific implementation, the first client device may also be other types of electronic devices, or software programs running in the electronic devices, and the like. The specification is not limited to the specific form and type of the first client device.
The server (which may be referred to as KMS) may be understood as a background server providing a platform for transaction data processing and other services related to key component usage for users. For example, the server may be a background server of a network payment platform, and the like. Of course, it should be noted that the above listed servers are only illustrative. In a specific implementation, the server may also be other types of electronic devices, or software programs running in the electronic devices. The specific form and type of the server are not limited in this specification.
In this embodiment, in order to ensure the security of the transaction data processing of the user, the key component obtained by splitting the key for the subsequent transaction data processing into two parts may be stored in the server and the client device, respectively. The server and the client device may respectively store a part of the key components, and subsequently, when transaction data processing is performed in response to a user instruction, the server and the client device are required to provide the stored key components together to perform specific transaction data processing. For example, the fund data in the account of the user can be called to complete the transaction by using the key components stored on the two sides. Therefore, even if a third party steals any one of the key components respectively kept by the server and the client, the account of the user cannot be called, and the safety of transaction data processing of the user can be improved.
In this embodiment, the server may store the first key component, and the second client device may store the second key component. Specifically, when transaction data processing is performed, the server and the second client device need to perform operations respectively with the first key component (may be denoted as sk1) and the second key component (may be denoted as sk2) stored in the server and the second client device as inputs to generate corresponding transaction signatures, and then the transaction signatures can be used as credentials to complete corresponding transaction data processing. The transaction signature (which may also be referred to as a public key digital signature or an electronic signature) may be specifically understood as a digital signature based on a public key encryption technology for proving the identity of a user. Specifically, the transaction signature may be a character string that corresponds to the user identity and is not easy to forge. When specific transaction data processing is performed, for example, the identity of the user may be verified according to the transaction signature, and the fund data in the user account may be called to perform the specific transaction data processing.
In this embodiment, the user wants to smoothly and securely migrate the second key component originally stored in the second client device to the first client device. Specifically, referring to fig. 2, a schematic diagram of a key migration method provided by the embodiment of the present application in a scenario example is shown, and in implementation, the method may include the following steps:
s11: the first client device initiates a key migration request.
In this embodiment, the key migration request may be specifically understood as request data for a second client device storing a second key component and instructing to migrate the stored second key component to the first client device.
In one embodiment, to further improve the security of the user transaction data processing, before the first client device initiates the key migration request, the first client device may also communicate with the server to verify whether the identities of the user logged in to use the first client device and the user logged in to use the second client device are consistent. Namely, whether the account of the user logging in the first client device is the same as the account of the user on the second client device is determined, and under the condition that the account of the user logging in the first client device is determined to be the same as the account of the user on the second client device, a key migration request is initiated to the second client device and the server.
In an embodiment, before the first client device initiates the key migration request, when the method is implemented, the following may be further included:
s1: the first client device receives a key migration instruction;
s2: and the first client equipment responds to the key migration instruction, verifies the identity information of the account logged in the first client equipment, and initiates the key migration request under the condition that the identity information of the account logged in the first client equipment is verified to be matched with the identity information of the account on the second client equipment.
In this embodiment, the key migration instruction may be specifically understood as instruction data issued by the user through the first client device and used for instructing to migrate the second key component to the first client device.
Specifically, for example, the user may log in his or her account on the first client device, and generate the key migration instruction by clicking a key migration icon or the like displayed in the account page. The first client device may receive the operation and determine a key migration instruction according to the operation.
In this embodiment, after receiving the key migration instruction, the first client device may first verify the identity information of the account logged in to the first client device. Specifically, the first client device may obtain an account number or an account name used when the user logs in, and identity information of an account such as a login key input when logging in; and comparing the identity information of the account with the identity information of the account stored in the second client device, and when the identity information of the accounts of the two client devices is the same or the difference value is relatively smaller than a preset difference threshold value, determining that the identity information of the account logged in the first client device is matched with the identity information of the account on the second client device, namely determining that the account currently logged in the first client device and requiring key migration and the account logged in the second client device before are the same account, and further initiating a key migration request. In contrast, when the identity information of the accounts of the two pieces of client equipment is different or the difference value is relatively large and is larger than a preset difference threshold value, it is determined that the identity information of the account logged in the first client equipment is not matched with the identity information of the account on the second client equipment, that is, it is determined that the account currently logged in the first client equipment and requiring key migration and the account previously logged in to use the second client equipment are not the same account, it is determined that the received key migration instruction may not be legal, and the user who sent the instruction may not have the right to perform key migration. In order to secure the user's account, the first client device may not initiate a key migration request. Meanwhile, prompt information can be displayed to the user to prompt the user to confirm that the input account identity information is accurate and correct, and then a key migration instruction is triggered.
S12: the server and the second client device respond to the key migration request, call the first key component and the second key component which are respectively stored as input, and perform function operation according to a preset rule to obtain a third key component and a fourth key component; and the server acquires and stores the third key component, and the second client device acquires and stores a fourth key component.
In an embodiment, the preset rule may be specifically understood as a data processing rule generated in advance according to an MPC (Secure Multi-Party computing) protocol or the like. The MPC protocol may be specifically understood as a secure computing protocol based on cryptography, in which participating parties respectively input their own information data locally and participate in operations together on the premise that they do not reveal their data.
In specific implementation, according to the preset rule based on the MPC protocol, MPC nodes capable of participating in MPC operation may be respectively preset on both sides of the second client device and the server. When the function operation is specifically carried out, the MPC node preset on the second client device and the MPC node preset on the server can respectively take the data respectively stored on the two sides of the second client device and the server as input to participate in the common function operation to obtain an operation result, but the other side can be prevented from obtaining the input data in the operation process, so that the stored data can be effectively prevented from being leaked or stolen, and the privacy and the safety of the data on each side are protected.
In this embodiment, the server and the second client device respond to the key migration request, call the first key component and the second key component that are respectively stored as inputs, and perform function operation according to a preset rule to obtain a third key component and a fourth key component, where in a specific implementation, the method may include: the server and the second client device receive and respond to the key migration request, a first key component stored in the server is called as input through an MPC node preset on one side of the server, meanwhile, a second key component stored in the second client device is called as input through an MPC node preset on one side of the second client device, and function operation is carried out together according to a preset rule based on an MPC protocol; through the above function operation, the server may obtain an operation result, and obtain a new key component, i.e., a third key component (may be denoted as sk1 '), according to the operation result, and the second client device may also obtain an operation result, and obtain another new key component, i.e., a fourth key component (may be denoted as sk 2'), according to the operation result.
Specifically, for example, as shown in fig. 2, the second client device and the server may generate the third key component and the fourth key component in the following manner: MPC (sk1, sk2) - > (sk1 ', sk 2'). The MPC () may specifically represent a function operation performed according to a preset rule based on an MPC protocol.
In this embodiment, the third key share and the fourth key share are a new set of key shares different from the first key share and the second key share, but since the third key share and the fourth key share are a set of key shares obtained by a function operation based on a preset rule from the first key share and the second key share, a transaction signature generated from the third key share and the fourth key share is consistent with a transaction signature generated from the first key share and the second key share. The previously used first key component and second key component may be subsequently replaced with the third key component and fourth key component to generate a transaction signature for the user, and corresponding transaction data may be processed.
In this embodiment, after obtaining the third key component, the server may locally store the third key component in the server. Similarly, the second client device may locally save the fourth key component after obtaining the fourth key component. Wherein the server cannot acquire the fourth key component, and the second client device cannot acquire the third key component
S13: the second client device obtains a first public key generated by a first client device, wherein the first client device is used for generating a first public key and a first private key which are matched with each other.
In this embodiment, the first public key and the first private key may specifically be a set of mutually matched key pairs generated by the first client device, and the key pairs may be used for data processing, such as subsequent data encryption.
In this embodiment, in specific implementation, the first client device may generate, in response to the key migration request, the first public key and the first private key that are matched with each other in a key generation manner such as re-encryption. Furthermore, the second client device can obtain the first public key therein, and the first client device stores the corresponding first private key.
Specifically, for example, as shown in fig. 2, the first client device may generate the first public key and the first private key in the following manner: keyGen () - > (pk _ n, sk _ n). The keyGen () may be specifically represented as a key generation formula, the pk _ n may be specifically represented as a first public key, and the sk _ n may be specifically represented as a first private key.
In this embodiment, the second client device may obtain the first public key generated by the first client device in a variety of ways. Specifically, the second client device may determine the first public key by querying information such as a device identifier of the first client device. The first public key may also be sent directly by the first client device to the second client device, received by the second client device, and so on.
In this embodiment, in order to consider that the first client device and the second client device may be electronic devices such as a mobile phone or a tablet computer used by a user and carrying a camera, and to consider data security in a public key transmission process and facilitate user operation, in a specific implementation, the first client device may generate a corresponding preset two-dimensional code according to the first public key. And displaying the preset two-dimension code to second client equipment so that the second client equipment can obtain the preset two-dimension code through camera scanning. After the second client device obtains the preset two-dimensional code, the second client device may further perform parsing on the preset two-dimensional code to extract the first public key therein. Of course, it should be noted that the above-listed manner of obtaining the first public key by the second client is only for better describing the embodiments of the present specification. In specific implementation, the first public key may also be obtained in other manners according to specific application scenarios and characteristics of the client device. The present specification is not limited to these.
S14: and the second client equipment generates first ciphertext data according to the first public key and the fourth key component, and sends the first ciphertext to the first client equipment.
In this embodiment, after obtaining the fourth key component, the second client device may encrypt the fourth key component in an encryption manner that the first client device can decrypt and then send the fourth key component to the first client device, in order to ensure that the fourth key component is not stolen or leaked during the transmission of the fourth key component to the first client device and improve the transmission security.
In this embodiment, in specific implementation, the second client device may perform encryption processing on the fourth key component by using the first public key generated by the first client device, so as to obtain an encrypted fourth key component, that is, the first ciphertext data. And then, the first ciphertext data is sent to the first client device in a wired or wireless transmission mode.
Specifically, for example, as described with reference to fig. 2, the second client device may encrypt the fourth key component in the following manner: enc (pk _ n, sk 2') - > cxt. The Enc may specifically represent an encryption operation, and the cxt may specifically represent first ciphertext data.
S15: and the first client equipment decrypts the first ciphertext data by using the first private key to obtain the fourth key component.
In this embodiment, after obtaining the first ciphertext data, the first client device may further perform decryption processing on the first ciphertext data by using the stored first private key to obtain a fourth key component, so as to complete migration of the key components between different client devices. In this way, the first client device and the server may subsequently generate the transaction signature of the user by using the fourth key component and the third key component respectively stored in the first client device and the server, and perform corresponding transaction data processing.
Specifically, for example, the first client device may perform decryption processing in the following manner to obtain the fourth key component: dec (sk _ n, sk2 ') - > sk 2'. The Dec () may be specifically expressed as a decryption operation.
In the embodiment of the present application, compared with the existing method, in the scheme, by introducing an MPC-based data processing manner, the second client device and the server call the second key components and the first key components respectively stored on both sides according to a preset rule generated based on an MPC protocol, and perform function operation to generate new key components, that is, the fourth key component and the third key component to replace the originally used second key component and first key component; and then, the newly generated fourth key component is encrypted and then sent to the first client device, so that the key component is migrated between different client devices, the technical problems that the key migration is unsafe and easy to leak in the existing method are solved, and the technical effect of safely and efficiently migrating the key component stored in the second client device to the first client device is achieved. In addition, updating of the key shares used is also done while the key shares are being migrated.
In an embodiment, after the first client device decrypts the first ciphertext data by using the first private key to obtain the fourth key component, when the method is implemented, the method may further include the following steps:
s1: the first client device sends acknowledgement information of a fourth key component to the second client device and the server;
s2: the second client device responds to the acknowledgement information and destroys the stored second key component and the stored fourth key component; and the server responds to the acknowledgement information and destroys the stored first key component.
In this embodiment, after obtaining and storing the fourth key component, the first client device may determine that the fourth key component has been successfully migrated, and subsequently, the first client device may be used to replace the previously used second client device to perform the transaction data processing of the user together with the server. That is, the second client device will not subsequently participate in the transaction data processing of the user, nor will the second client device need to save the second key component, and the fourth key component. In order to avoid the second key component and the fourth key component originally stored on the second client device from being leaked or stolen, and from affecting the transaction security of the user, as shown in fig. 2, the first client device may generate and send the acknowledgement information of the fourth key component to the second client device. After receiving the acknowledgement information, the second client device may destroy the second key component and the fourth key component originally stored in the second client device in response to the acknowledgement information, so as to prevent the subsequent second key component and the fourth key component from being leaked or stolen through the second client device that is not in use, thereby further improving the security of transaction data processing of the user.
Meanwhile, after the key migration is completed, the new key component group of the third key component and the fourth key component is used for replacing the second key component of the first key component used before, so that the first key component stored locally in the server before is not used subsequently. In order to reduce consumption of storage resources of the server, the first client device may also send the acknowledgement information to the server. After receiving the acknowledgement information, the server may destroy the first key component originally stored in the server locally in response to the acknowledgement information.
In an embodiment, after the first client device decrypts the first ciphertext data by using the first private key to obtain the fourth key component, when the method is implemented, the method may further include the following steps: a user initiates a transaction data processing request through the first client device; the first client device and the server respond to the transaction data processing request, and call and generate a transaction signature according to a fourth key component and a third key component which are respectively stored; and the first client equipment processes transaction data according to the transaction signature.
In the present embodiment, in addition to smoothly and securely completing the migration of key components between different client devices, the key components used are also updated in the manner described above. That is, the first client device and the server will generate the transaction signature by using the newly generated fourth key share and the newly generated third key share to replace the previously used second key share and the first key share, and perform specific transaction data processing, thereby improving the security of transaction data processing from another dimension.
As can be seen from the above description, in the key migration method provided in the embodiment of the present application, because the MPC-based data processing manner is introduced, the second client device and the server call the second key component and the first key component respectively stored on both sides according to the preset rule generated based on the MPC protocol, and perform function operation to generate new key components, that is, the fourth key component and the third key component to replace the originally used second key component and first key component; and then, the newly generated fourth key component is encrypted and then sent to the first client device, so that the key component is migrated between different client devices, the technical problems that the key migration is unsafe and easy to leak in the existing method are solved, and the technical effect of safely and efficiently migrating the key component stored in the second client device to the first client device is achieved. In addition, the updating of the used key components is completed while the key components are migrated; and after the first client device obtains the fourth key component, sending acknowledgement information to the second client device, so that the second client device can destroy the stored second key component and the stored fourth key component in time according to the acknowledgement information, thereby avoiding the subsequent leakage or theft of the second key component and the fourth key component stored locally by the second client device, and further improving the security of the user key data.
The embodiment of the application also provides another key migration method. Please refer to fig. 3 for a flowchart of a key migration method according to an embodiment of the present application. The key migration method provided by the embodiment of the application can be particularly applied to the second client device. Wherein the second client device holds a second key component. When the method is implemented, the following contents can be included:
s31: receiving and responding to the key migration request, calling the second key component and the first key component which are respectively stored by the server as input, and performing function operation according to a preset rule to obtain and store a fourth key component, wherein the server obtains and stores a third key component;
s32: the method comprises the steps of obtaining a first public key generated by first client side equipment, wherein the first client side equipment is used for generating a first public key and a first private key which are matched with each other;
s33: and generating first ciphertext data according to the first public key and the fourth key component, and sending the first ciphertext to the first client device, wherein the first client device is configured to decrypt the first ciphertext data by using the first private key to obtain the fourth key component.
In an embodiment, the obtaining of the first public key generated by the first client device may include the following steps:
s1: scanning to obtain a preset two-dimensional code generated by first client equipment;
s2: and analyzing the preset two-dimensional code to obtain the first public key.
In this embodiment, it should be noted that the above listed manner of obtaining the first public key is only an illustrative one. In specific implementation, the first public key may also be obtained in other suitable manners according to specific situations and processing requirements. The present specification is not limited to these.
The embodiment of the application also provides another key migration method. Please refer to fig. 4, which is a flowchart illustrating a key migration method according to an embodiment of the present disclosure. The key migration method provided by the embodiment of the application can be particularly applied to the first client device. In specific implementation, the method may include the following:
s41: initiating a key migration request and generating a first public key and a first private key;
s42: receiving first ciphertext data sent by second client equipment, wherein the first ciphertext data is obtained by encrypting a fourth key component by the second client equipment by using the first public key, the fourth key component is obtained by responding to the key migration request by the second client equipment and the server, calling the second key component and the first key component which are respectively stored as input, and performing function operation according to a preset rule;
s43: and decrypting the first ciphertext data by using the first private key to obtain the fourth key component.
Based on the same inventive concept, the embodiment of the present invention further provides a key migration apparatus, as described in the following embodiments. Because the principle of the key migration apparatus for solving the problem is similar to that of the key migration method, the implementation of the key migration apparatus may refer to the implementation of the key migration method, and repeated details are not described herein. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated. Please refer to fig. 5, which is a structural diagram of a key migration apparatus provided in an embodiment of the present application, where the apparatus may specifically include: the first processing module 501, the obtaining module 502, and the second processing module 503, and the structure thereof will be described in detail below.
The first processing module 501 may be specifically configured to receive and respond to the key migration request, and call, by the server, the second key component and the first key component that are respectively stored as input, and perform function operation according to a preset rule to obtain and store a fourth key component, where the server obtains and stores a third key component;
the obtaining module 502 may be specifically configured to obtain a first public key generated by a first client device, where the first client device is configured to generate a first public key and a first private key that are matched with each other;
the second processing module 503 may be specifically configured to generate first ciphertext data according to the first public key and the fourth key component, and send the first ciphertext to the first client device, where the first client device is configured to decrypt the first ciphertext data with the first private key to obtain the fourth key component.
In an embodiment, the preset rule may be a data processing rule generated in advance according to an MPC protocol.
In an embodiment, in order to obtain the first public key generated by the first client device, the obtaining module 502 may specifically include the following structural units:
the scanning unit may be specifically configured to scan and acquire a preset two-dimensional code generated by the first client device;
the parsing unit may be specifically configured to parse the preset two-dimensional code to obtain the first public key.
In an embodiment, the apparatus further includes a destruction module, which is specifically configured to receive and respond to the acknowledgement information of the fourth key component of the first client device, and destroy the stored second key component and the stored fourth key component.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
It should be noted that, the systems, devices, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or implemented by a product with certain functions. For convenience of description, in the present specification, the above devices are described as being divided into various units by functions, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
Moreover, in the subject specification, adjectives such as first and second may only be used to distinguish one element or action from another element or action without necessarily requiring or implying any actual such relationship or order. References to an element or component or step (etc.) should not be construed as limited to only one of the element, component, or step, but rather to one or more of the element, component, or step, etc., where the context permits.
As can be seen from the foregoing description, in the key migration apparatus provided in the embodiment of the present application, since the preset rule generated based on the MPC protocol is introduced for specific processing, the second client device and the server call the second key component and the first key component respectively stored on two sides according to the preset rule generated based on the MPC protocol, and perform function operation to generate a new key component, that is, the fourth key component and the third key component replace the original second key component and the original first key component; and then, the newly generated fourth key component is encrypted and then sent to the first client device, so that the key component is migrated between different client devices, the technical problems that the key migration is unsafe and easy to leak in the existing method are solved, and the technical effect of safely and efficiently migrating the key component stored in the second client device to the first client device is achieved.
The embodiment of the present application further provides an electronic device, which may specifically refer to a schematic structural diagram of the electronic device based on the key migration method provided in the embodiment of the present application shown in fig. 6, where the electronic device may specifically include an input device 61, a processor 62, and a memory 63. The input device 61 may be specifically configured to receive a key migration request. The processor 62 may be specifically configured to respond to the key migration request, and call, by the server, the second key component and the first key component that are respectively stored as inputs, and perform function operation according to a preset rule to obtain and store a fourth key component, where the server obtains and stores a third key component; the method comprises the steps of obtaining a first public key generated by first client side equipment, wherein the first client side equipment is used for generating a first public key and a first private key which are matched with each other; and generating first ciphertext data according to the first public key and the fourth key component, and sending the first ciphertext to the first client device, wherein the first client device is configured to decrypt the first ciphertext data by using the first private key to obtain the fourth key component. The memory 63 may specifically be used for storing program instructions on which the processor 62 is based.
In this embodiment, the input device may be one of the main apparatuses for information exchange between a user and a computer system. The input device may include a keyboard, a mouse, a camera, a scanner, a light pen, a handwriting input board, a voice input device, etc.; the input device is used to input raw data and a program for processing the data into the computer. The input device can also acquire and receive data transmitted by other modules, units and devices. The processor may be implemented in any suitable way. For example, the processor may take the form of, for example, a microprocessor or processor and a computer-readable medium that stores computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, an embedded microcontroller, and so forth. The memory may in particular be a memory device used in modern information technology for storing information. The memory may include multiple levels, and in a digital system, the memory may be any memory as long as it can store binary data; in an integrated circuit, a circuit without a physical form and with a storage function is also called a memory, such as a RAM, a FIFO and the like; in the system, the storage device in physical form is also called a memory, such as a memory bank, a TF card and the like.
In this embodiment, the functions and effects specifically realized by the electronic device can be explained by comparing with other embodiments, and are not described herein again.
An embodiment of the present application further provides a computer storage medium based on a key migration method, where the computer storage medium stores computer program instructions, and when the computer program instructions are executed, the computer storage medium implements: receiving and responding to a key migration request, calling a second key component and a first key component which are respectively stored by a server as input, and performing function operation according to a preset rule to obtain and store a fourth key component, wherein the server obtains and stores a third key component; the method comprises the steps of obtaining a first public key generated by first client side equipment, wherein the first client side equipment is used for generating a first public key and a first private key which are matched with each other; and generating first ciphertext data according to the first public key and the fourth key component, and sending the first ciphertext to the first client device, wherein the first client device is configured to decrypt the first ciphertext data by using the first private key to obtain the fourth key component.
In the present embodiment, the storage medium includes, but is not limited to, a Random Access Memory (RAM), a Read-Only Memory (ROM), a Cache (Cache), a Hard Disk Drive (HDD), or a Memory Card (Memory Card). The memory may be used to store computer program instructions. The network communication unit may be an interface for performing network connection communication, which is set in accordance with a standard prescribed by a communication protocol.
In this embodiment, the functions and effects specifically realized by the program instructions stored in the computer storage medium can be explained by comparing with other embodiments, and are not described herein again.
Although various specific embodiments are mentioned in the disclosure of the present application, the present application is not limited to the cases described in the industry standards or the examples, and the like, and some industry standards or the embodiments slightly modified based on the implementation described in the custom manner or the examples can also achieve the same, equivalent or similar, or the expected implementation effects after the modifications. Embodiments employing such modified or transformed data acquisition, processing, output, determination, etc., may still fall within the scope of alternative embodiments of the present application.
Although the present application provides method steps as described in an embodiment or flowchart, more or fewer steps may be included based on conventional or non-inventive means. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of orders and does not represent the only order of execution. When an apparatus or client product in practice executes, it may execute sequentially or in parallel (e.g., in a parallel processor or multithreaded processing environment, or even in a distributed data processing environment) according to the embodiments or methods shown in the figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the presence of additional identical or equivalent elements in a process, method, article, or apparatus that comprises the recited elements is not excluded.
The devices or modules and the like explained in the above embodiments may be specifically implemented by a computer chip or an entity, or implemented by a product with certain functions. For convenience of description, the above devices are described as being divided into various modules by functions, and are described separately. Of course, in implementing the present application, the functions of each module may be implemented in one or more pieces of software and/or hardware, or a module that implements the same function may be implemented by a combination of a plurality of sub-modules, and the like. The above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical division, and other divisions may be realized in practice, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed.
Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may therefore be considered as a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, classes, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a mobile terminal, a server, or a network device) to execute the method according to the embodiments or some parts of the embodiments of the present application.
The embodiments in the present specification are described in a progressive manner, and the same or similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
While the present application has been described by way of examples, those of ordinary skill in the art will appreciate that there are numerous variations and permutations of the present application that do not depart from the spirit of the present application and that the appended embodiments are intended to include such variations and permutations without departing from the present application.

Claims (9)

1. A key migration method applied to a system including a first client device, a second client device and a server, wherein the second client device stores a second key component, and the server stores a first key component, the method comprising:
the first client device initiates a key migration request;
the server and the second client device respond to the key migration request, respectively call the first key component and the second key component which are respectively stored as input, and perform function operation according to a preset rule to obtain a third key component and a fourth key component; the server acquires and stores the third key component, and the second client device acquires and stores a fourth key component; the third and fourth key shares are a new set of key shares different from the first and second key shares; the preset rule is generated in advance according to an MPC protocol;
the second client device obtains a first public key generated by a first client device, wherein the first client device is used for generating a first public key and a first private key which are matched with each other;
the second client device generates first ciphertext data according to the first public key and the fourth key component, and sends the first ciphertext data to the first client device;
and the first client equipment decrypts the first ciphertext data by using the first private key to obtain the fourth key component.
2. The method according to claim 1, wherein after the first client device decrypts the first ciphertext data using the first private key to obtain the fourth key component, the method further comprises:
the first client device sends acknowledgement information of a fourth key component to the second client device and the server;
the second client device responds to the acknowledgement information and destroys the stored second key component and the stored fourth key component; and the server responds to the acknowledgement information and destroys the stored first key component.
3. The method according to claim 1, wherein after the first client device decrypts the first ciphertext data using the first private key to obtain the fourth key component, the method further comprises:
initiating, by the first client device, a transaction data processing request;
the first client device and the server respond to the transaction data processing request, and call and generate a transaction signature according to a fourth key component and a third key component which are respectively stored;
and the first client equipment processes transaction data according to the transaction signature.
4. The method of claim 1, wherein prior to the first client device initiating a key migration request, the method further comprises:
the first client device receives a key migration instruction;
and the first client equipment responds to the key migration instruction, verifies the identity information of the account logged in the first client equipment, and initiates the key migration request under the condition that the identity information of the account logged in the first client equipment is verified to be matched with the identity information of the account on the second client equipment.
5. A key migration method applied to a second client device, the second client device holding a second key component, the method comprising:
receiving and responding to a key migration request, calling a second key component and a first key component which are respectively stored by a server as input, and performing function operation according to a preset rule to obtain and store a fourth key component, wherein the server obtains and stores a third key component; the third and fourth key shares are a new set of key shares different from the first and second key shares; the preset rule is generated in advance according to an MPC protocol;
the method comprises the steps of obtaining a first public key generated by first client side equipment, wherein the first client side equipment is used for generating a first public key and a first private key which are matched with each other;
and generating first ciphertext data according to the first public key and the fourth key component, and sending the first ciphertext data to the first client device, wherein the first client device is configured to decrypt the first ciphertext data by using the first private key to obtain the fourth key component.
6. The method of claim 5, wherein obtaining the first public key generated by the first client device comprises:
scanning to obtain a preset two-dimensional code generated by first client equipment;
and analyzing the preset two-dimensional code to obtain the first public key.
7. A key migration method applied to a first client device, the method comprising:
initiating a key migration request and generating a first public key and a first private key;
receiving first ciphertext data sent by second client equipment, wherein the first ciphertext data is obtained by encrypting a fourth key component by the second client equipment by using the first public key, the fourth key component is obtained by responding to the key migration request by the second client equipment and the server, calling the second key component and the first key component which are respectively stored as input, and performing function operation according to a preset rule; the preset rule is generated in advance according to an MPC protocol;
decrypting the first ciphertext data by using the first private key to obtain the fourth key component; wherein, the server obtains a third key component; the third and fourth key shares are a new set of key shares different from the first and second key shares.
8. A key migration apparatus, comprising:
the first processing module is used for receiving and responding to the key migration request, calling the second key component and the first key component which are respectively stored by the server as input, performing function operation according to a preset rule, and obtaining and storing a fourth key component, wherein the third key component is obtained and stored by the server; the third and fourth key shares are a new set of key shares different from the first and second key shares; the preset rule is generated in advance according to an MPC protocol;
the system comprises an acquisition module, a first public key generation module and a second public key generation module, wherein the acquisition module is used for acquiring a first public key generated by first client equipment, and the first client equipment is used for generating a first public key and a first private key which are matched with each other;
and the second processing module is configured to generate first ciphertext data according to the first public key and the fourth key component, and send the first ciphertext data to the first client device, where the first client device is configured to decrypt the first ciphertext data by using the first private key to obtain the fourth key component.
9. A computer-readable storage medium having stored thereon computer instructions, wherein the instructions, when executed by a computer device, implement the steps of the method of any of claims 5 to 6.
CN201910132911.2A 2019-02-22 2019-02-22 Key migration method and device Active CN109981576B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910132911.2A CN109981576B (en) 2019-02-22 2019-02-22 Key migration method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910132911.2A CN109981576B (en) 2019-02-22 2019-02-22 Key migration method and device

Publications (2)

Publication Number Publication Date
CN109981576A CN109981576A (en) 2019-07-05
CN109981576B true CN109981576B (en) 2021-09-17

Family

ID=67077236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910132911.2A Active CN109981576B (en) 2019-02-22 2019-02-22 Key migration method and device

Country Status (1)

Country Link
CN (1) CN109981576B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111368322B (en) * 2020-03-11 2022-04-12 中电科(天津)网络信息安全有限公司 File decryption method and device, electronic equipment and storage medium
CN111815815B (en) * 2020-06-22 2022-06-24 合肥智辉空间科技有限责任公司 Electronic lock safety system
CN114710263B (en) * 2022-06-07 2022-08-05 苏州浪潮智能科技有限公司 Key management method, key management device, key management apparatus, and storage medium
CN116319949B (en) * 2022-12-19 2023-11-14 北京开科唯识技术股份有限公司 Session migration method, session migration device, terminal equipment and storage medium
CN115632890B (en) * 2022-12-23 2023-04-07 北京锘崴信息科技有限公司 Secure decryption method and device for private data and financial private data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040045A (en) * 2018-07-25 2018-12-18 广东工业大学 A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base
CN109075962A (en) * 2016-03-25 2018-12-21 西恩·万·范 For use dynamic Public Key Infrastructure send and receive encryption message method, system and medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100531027C (en) * 2005-07-28 2009-08-19 深圳兆日技术有限公司 Key transplanting method based on safety environment
CN101651543B (en) * 2009-09-04 2012-02-01 瑞达信息安全产业股份有限公司 Creditable calculation platform key migration system and key migration method thereof
US10313393B1 (en) * 2017-11-16 2019-06-04 Capital One Services, Llc Systems and methods for securely pairing a transmitting device with a receiving device
CN109257173B (en) * 2018-11-21 2020-02-07 郑州轻工业学院 Asymmetric group key negotiation method based on authority information exchange

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109075962A (en) * 2016-03-25 2018-12-21 西恩·万·范 For use dynamic Public Key Infrastructure send and receive encryption message method, system and medium
CN109040045A (en) * 2018-07-25 2018-12-18 广东工业大学 A kind of cloud storage access control method based on the encryption of ciphertext policy ABE base

Also Published As

Publication number Publication date
CN109981576A (en) 2019-07-05

Similar Documents

Publication Publication Date Title
US11711219B1 (en) PKI-based user authentication for web services using blockchain
CN109981576B (en) Key migration method and device
US10790976B1 (en) System and method of blockchain wallet recovery
CN108965230B (en) Secure communication method, system and terminal equipment
CN111683071B (en) Private data processing method, device, equipment and storage medium of block chain
Kalra et al. Secure authentication scheme for IoT and cloud servers
JP6234607B2 (en) Method and apparatus for verifying processed data
US20180176222A1 (en) User friendly two factor authentication
CN107249004B (en) Identity authentication method, device and client
CN111431713B (en) Private key storage method and device and related equipment
EP3659295A1 (en) Authentication token with client key
CN110492990A (en) Private key management method, apparatus and system under block chain scene
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
US20130198518A1 (en) Secure peer discovery and authentication using a shared secret
US20210241270A1 (en) System and method of blockchain transaction verification
WO2020168546A1 (en) Secret key migration method and apparatus
US20180130056A1 (en) Method and system for transaction security
KR20150059347A (en) Mobile terminal, terminal and method for authentication using security cookie
CN114553590A (en) Data transmission method and related equipment
CN114363088B (en) Method and device for requesting data
CN109740319B (en) Digital identity verification method and server
CN113630412B (en) Resource downloading method, resource downloading device, electronic equipment and storage medium
WO2020168545A1 (en) Key migration method and apparatus
CN113626848A (en) Sample data generation method and device, electronic equipment and computer readable medium
CN104717235B (en) A kind of resources of virtual machine detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40010245

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant