CN110166226A - A kind of method and apparatus generating code key - Google Patents

A kind of method and apparatus generating code key Download PDF

Info

Publication number
CN110166226A
CN110166226A CN201810145432.XA CN201810145432A CN110166226A CN 110166226 A CN110166226 A CN 110166226A CN 201810145432 A CN201810145432 A CN 201810145432A CN 110166226 A CN110166226 A CN 110166226A
Authority
CN
China
Prior art keywords
server
key
certificate
code key
verified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810145432.XA
Other languages
Chinese (zh)
Other versions
CN110166226B (en
Inventor
张华�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Jingdong Shangke Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Jingdong Shangke Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN201810145432.XA priority Critical patent/CN110166226B/en
Publication of CN110166226A publication Critical patent/CN110166226A/en
Application granted granted Critical
Publication of CN110166226B publication Critical patent/CN110166226B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method and apparatus for generating code key, are related to field of computer technology.One specific embodiment of this method includes: that the first security information comprising itself the first public key is sent to after second server by first server, receive the second code key returned by second server, wherein, second code key is to be verified by second server to the first security information, and after being verified, generated by second server using the first public key;First server is verified the second security information, and after being verified after receiving the second security information comprising the second public key sent by second server, and the first code key of first server is generated using the second public key.This embodiment improves security reliabilities when generation code key, effectively prevent the attack and eavesdropping of third party device.

Description

A kind of method and apparatus generating code key
Technical field
The present invention relates to field of computer technology more particularly to a kind of method and apparatus for generating code key.
Background technique
Key exchange, is a kind of agreement to obtain authentication key.
Used key exchanged form is based on ECDH Diffie-Hellman in the prior art, specifically, such as Fig. 1 institute Show, identify communicating pair with Master and Slave, process is as follows:
1, (A1) Master and slave, which are established, communicates to connect, the publickey of each self-generating of both sides oneself with priviatekey。
2, the publickey_m of oneself is written in Slave by (A2) Master.
3, it after (A3) Slave receives publickey_m, is generated with publickey_m and priviatekey_s Sharekey, and confirmation result is returned to Master.
4, (A4) Macter, which is sent, reads instruction, obtains the end slave public key publickey_s.
5, the public key publickey_s of oneself is returned to Master by (A5) Slave, and Master receives the public key of Slave After generate sharekey.
6, (A6) both sides carry out encrypted data communications with the sharekey of each self-generating.
In realizing process of the present invention, at least there are the following problems in the prior art for inventor's discovery:
The mode of key exchange in the prior art can not resist internuncial attack, specifically, as shown in Fig. 2, Attaker plays the part of Slave to Master, and Attaker plays the part of Master to Slave.Therefore, the process after attack is as follows:
1, Master and Attacker, which is established, communicates to connect, and Attacker and Slave are established and communicated to connect, Master, The publickey and priviatekey of each self-generating of Attacker, Slave oneself.
2, the publickey_m of oneself is written in Attacker (at this point, Master judgement is written to by Master In Slave).
3, after Attacker receives publickey_m, sharekey_ is generated with publickey_m and priviatekey_a Am, and confirmation result is returned to Master.
4, the publickey_a of oneself is written in Slave (at this point, Slave judgement has received by Attacker The public key of Master).
5, after Slave receives publickey_a, sharekey_sa is generated with publickey_a and priviatekey_s, And confirmation result is returned to Attacker.
6, Macter, which is sent, reads instruction, obtains the public key publickey_a at the end Attacker.
7, the public key publickey_a of oneself is returned to Master by Attacker, and Master receives the public affairs of Attacker Sharekey_ma is generated after key.
8, Attacker, which is sent, reads instruction, obtains the end Slave public key publickey_s.
9, Attacker generates shared key using the public key publickey_s and the private key of oneself at the end Slave sharekey_as。
10, Master and Attacker is communicated using sharekey_ma (being equal to sharekey_am);Attacker It is communicated with Slave using sharekey_as (being equal to sharekey_sa).
At this moment, the Content of Communication between Master and Slave is just all known by Attacker.
Therefore, how to improve security reliability when generating key is particularly important.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of method and apparatus for generating code key, when can be improved generation key Security reliability.
To achieve the above object, according to an aspect of an embodiment of the present invention, a kind of method for generating code key is provided.
A kind of method for generation code key that the present invention is implemented includes: first server by first comprising itself the first public key Security information is sent to after second server, receives the second code key returned by second server, wherein the second code key is The first security information is verified by second server, and after being verified, the first public key is utilized by second server It generates;First server is right after receiving the second security information comprising the second public key sent by second server Second security information is verified, and after being verified, and the first code key of first server is generated using the second public key.
In another embodiment of the present invention, first server believes the first identity of the first public key and first server Breath is sent to certificate center, generates First Certificate using the certificate and private key of certificate center by certificate center, and First Certificate is returned Back to first server, then the first public key and First Certificate are formed the first security information by first server;Second server Second identity information of the second public key and second server is sent to certificate center, is generated by certificate center using certificate and private key Second certificate, and the second certificate is returned into second server, then second server forms the second public key and the second certificate Second security information.
In another embodiment of the present invention, the first security information is verified by second server, and verified It include: by second server certificate of utility by the step of later, generating the second code key using the first public key by second server The CertPubKey at center verifies the First Certificate in the first security information, in the case where being verified, determines first The first public key in security information comes from first server, then generates the second code key using the first public key;To the second safety letter Breath is verified, and after being verified, the step of generating the first code key of first server using the second public key includes: the One server by utilizing CertPubKey verifies the second certificate in the second security information, in the case where being verified, sentences The second public key in fixed second security information comes from second server, then generates the first code key using the second public key.
In another embodiment of the present invention, first server is after generating the first code key, according to preset algorithm pair First code key is encrypted, to obtain the first encryption code key of first server;Second server is generating the second code key Later, the second code key is encrypted according to preset algorithm, to obtain the second encryption code key of second server.
In another embodiment of the present invention, the step of the first code key being encrypted according to preset algorithm packet Include: by three bits of the first code key ring shift left, the first code key and preset characters string after then moving to left carry out logical AND Processing, to obtain the first encryption code key;The step of the second code key is encrypted according to preset algorithm includes: by second Three bits of code key ring shift left, the second code key and preset character string after then moving to left carry out the processing of logical AND, To obtain the second encryption code key.
To achieve the above object, according to another aspect of an embodiment of the present invention, a kind of device for generating code key is provided.
A kind of device of generation code key of the embodiment of the present invention includes: the first generation module, for will comprising itself first First security information of public key is sent to after second server, receives the second code key returned by second server, wherein Second code key is to be verified by second server to the first security information, and after being verified, by second server benefit It is generated with the first public key;Second generation module, for receiving the comprising the second public key sent by second server After two security information, the second security information is verified, and after being verified, generates the first clothes using the second public key First code key of business device.
In another embodiment of the present invention, first server believes the first identity of the first public key and first server Breath is sent to certificate center, generates First Certificate using the certificate and private key of certificate center by certificate center, and First Certificate is returned Back to first server, then the first public key and First Certificate are formed the first security information by first server;Second server Second identity information of the second public key and second server is sent to certificate center, is generated by certificate center using certificate and private key Second certificate, and the second certificate is returned into second server, then second server forms the second public key and the second certificate Second security information.
In another embodiment of the present invention, the first generation module is also used to: by second server certificate of utility center CertPubKey the First Certificate in the first security information is verified, in the case where being verified, determine first safety The first public key in information comes from first server, then generates the second code key using the first public key;Second generation module is also used In: first server certificate of utility public key verifies the second certificate in the second security information, the case where being verified Under, determine that the second public key in the second security information comes from second server, then generates the first code key using the second public key.
In another embodiment of the present invention, first server is after generating the first code key, according to preset algorithm pair First code key is encrypted, to obtain the first encryption code key of first server;Second server is generating the second code key Later, the second code key is encrypted according to preset algorithm, to obtain the second encryption code key of second server.
In another embodiment of the present invention, further include first processing module, be used for: by the first code key ring shift left three A bit, the first code key and preset characters string after then moving to left carry out the processing of logical AND, secret to obtain the first encryption Key;Further include Second processing module, be used for: by three bits of the second code key ring shift left, second after then moving to left is secret Key and preset character string carry out the processing of logical AND, to obtain the second encryption code key.
To achieve the above object, in accordance with a further aspect of the present invention, a kind of electronic equipment is provided.
The a kind of electronic equipment of the embodiment of the present invention includes: one or more processors;Storage device, for storing one Or multiple programs, when one or more programs are executed by one or more processors, so that one or more processors realize this The method that invention generates code key.
To achieve the above object, in accordance with a further aspect of the present invention, a kind of computer readable storage medium is provided.
A kind of computer readable storage medium of the embodiment of the present invention, is stored thereon with computer program, which is characterized in that The method that the present invention generates code key is realized when program is executed by processor.
One embodiment in foregoing invention has the following advantages that or the utility model has the advantages that because using security information is sent to Other side's server is verified, and only in the case where being verified, and just can further generate the technological means of code key, institute To overcome the technical problem of existing security reliability difference during generating code key, so reach raising generate code key when Security reliability technical effect.According to the technical solution of the present invention, security reliability when generating code key is improved, effectively The attack and eavesdropping for preventing third party device.
Further effect possessed by above-mentioned non-usual optional way adds hereinafter in conjunction with specific embodiment With explanation.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.In the accompanying drawings:
Fig. 1 is the existing timing diagram that key exchange is carried out using ECDH Diffie-Hellman;
Fig. 2 is the schematic diagram attacked when being swapped according to existing Diffie-Hellman;
Fig. 3 is the schematic diagram of the main flow of the method according to an embodiment of the present invention for generating code key;
Fig. 4 is the schematic diagram of the main modular of the device according to an embodiment of the present invention for generating code key;
Fig. 5 is that the embodiment of the present invention can be applied to exemplary system architecture figure therein;
Fig. 6 is adapted for the structural representation of the computer system for the terminal device or server of realizing the embodiment of the present invention Figure.
Specific embodiment
Below in conjunction with attached drawing, an exemplary embodiment of the present invention will be described, including the various of the embodiment of the present invention Details should think them only exemplary to help understanding.Therefore, those of ordinary skill in the art should recognize It arrives, it can be with various changes and modifications are made to the embodiments described herein, without departing from scope and spirit of the present invention.Together Sample, for clarity and conciseness, descriptions of well-known functions and structures are omitted from the following description.
Fig. 3 is the schematic diagram of the main flow of the method according to an embodiment of the present invention for generating code key, as shown in figure 3, this A kind of method of generation code key of inventive embodiments mainly includes the following steps:
Step S301: first server by the first security information comprising itself the first public key be sent to second server it Afterwards, the second code key returned by second server is received.Wherein, the second code key is by second server to the first security information It is verified, and after being verified, is generated by second server using the first public key.By the way that the first security information is sent out Second server is given, the processing of subsequent verifying and generation code key is then done by second server.It should be noted that first It can also include the safety certificate to be verified in security information, in embodiments of the present invention, first server will First public key and the first identity information of first server are sent to certificate center, and the certificate of certificate center is used by certificate center Private key generates First Certificate, and First Certificate is returned to first server, and then first server is by the first public key and first Certificate forms the first security information.In this way, just obtained forming the first security information by the first public key and First Certificate, then Two servers can be verified first according to First Certificate, and the second code key is then being generated using the first public key.It needs Illustrate, the first identity there is not information that can be arbitrary unique identity.
Specifically, the first security information is verified by second server in another usage scenario of the invention, and After being verified, by second server using the first public key generate the second code key the step of include: by second server benefit The First Certificate in the first security information is verified with the CertPubKey of certificate center, in the case where being verified, is sentenced The first public key in fixed first security information comes from first server, then generates the second code key using the first public key.
Step S302: first server is receiving the second safety letter comprising the second public key sent by second server After breath, the second security information is verified, and after being verified, generates the of first server using the second public key One code key.In step s101, second server according to the first public key that first server is sent generate itself it is second secret Key.Therefore, second server also needs the second public key of itself being sent to first server, to make first server according to First public key of the second public key generation first server.
In an embodiment of the present invention, second server sends the second identity information of the second public key and second server To certificate center, the second certificate is generated using certificate and private key by certificate center, and the second certificate is returned into second server, so The second public key and the second certificate are formed the second security information by second server afterwards.Likewise, in order to increase security reliability, the Two servers can equally generate the second certificate and the second public key sends jointly to first server, then be carried out by first server Verifying, and generate the first public key.It should be noted that the second identity information can be arbitrary unique identity.
Specifically, verifying in another usage scenario of the invention to the second security information, and it is being verified it Afterwards, the step of generating the first code key of first server using the second public key includes: first server certificate of utility public key to the The second certificate in two security information is verified, and in the case where being verified, determines that second in the second security information is public Key comes from second server, then generates the first code key using the second public key.
In addition, in order to enable the second code key that the first code key and second server that first server generates generate has more High confidentiality can be encrypted the first code key and the second code key.Specifically, in an embodiment of the present invention, the One server is encrypted the first code key after generating the first code key, according to preset algorithm, to obtain first service First encryption code key of device;Second server encrypts the second code key after generating the second code key, according to preset algorithm Processing, to obtain the second encryption code key of second server.
It should be noted that preset algorithm is arranged in first server and second server, it can be and appoint The algorithm of meaning, if code key can be encrypted and be guaranteed first server and second server can normal communication i.e. Can, in an embodiment of the present invention, the step of the first code key is encrypted according to preset algorithm includes: by the first code key Three bits of ring shift left, the first code key and preset characters string after then moving to left carry out the processing of logical AND, to obtain First encryption code key;The step of the second code key is encrypted according to preset algorithm includes: by the second code key ring shift left Three bits, the second code key and preset character string after then moving to left carry out the processing of logical AND, are added with obtaining second Close code key.It should be noted that preset characters string is pre-set, as long as and it can be patrolled with the code key after moving to left Volume and processing character string.
Detailed process of the invention is described in detail below, firstly, it is necessary to pre- in Master (above-mentioned first server) Deposit the public key publickey_CA (above-mentioned CertPubKey) of CA (above-mentioned certificate center);It is pre- in Slave (above-mentioned second server) Deposit the public key publickey_CA of CA.
It then is the existing timing diagram that key exchange is carried out using ECDH Diffie-Hellman, the present invention by taking Fig. 1 as an example Related detailed process is as follows:
1, Master and Slave, which is established, communicates to connect, the publickey and priviatekey of each self-generating of both sides oneself.
2, by public key publickey_m and the identity information of oneself, (above-mentioned first identity information can be any Master Unique identity) be sent to CA, by CA using private key priviatekey_CA generate certificate certificate_m it is (above-mentioned First Certificate), and certificate_m is returned into Master.
3, by public key publickey_s and the identity information of oneself, (above-mentioned second identity information can be any Slave Unique identity) be sent to CA, by CA using private key priviatekey_CA generate certificate certificate_s it is (above-mentioned Second certificate), and certificate_s is returned into Slave.
4, the publickey_m of oneself and certificate certificate_m are written in Slave by Master.
5, it after Slave receives publickey_m and certificate certificate_m, is handled first using publickey_CA Certificate_m, to verify whether publickey_m is really coming from Master, if really come from Master if down into Row, is otherwise exited.
6, Slave generates sharekey (above-mentioned second code key) with publickey_m and priviatekey_s, and returns Confirm result to Master.
7, Master, which is sent, reads instruction, obtains the end Slave public key publickey_s and certificate certificate_s.
8, the public key publickey_s of oneself and certificate certificate_s are returned to Master by Slave.
9, it after Master receives publickey_s and certificate certificate_s, is handled first using publickey_CA Certificate_s is carried out if coming from Slave really down to verify whether publickey_s is really coming from Slave, Otherwise it exits.
10, Master generates sharekey (above-mentioned first code key) with publickey_s and priviatekey_m, and returns Confirmation result is returned to Slave.
11, both sides carry out encrypted data communications with the sharekey of each self-generating.
Further, in order to increase the security reliability for generating code key, the code key of generation can be encrypted.Tool The process of body is as follows:
1, sharekey is encrypted using preset preset algorithm by Master, obtains sharekey_ changed。
2, sharekey is encrypted using preset preset algorithm by Slave, obtains sharekey_changed.
Herein, preset algorithm can be arbitrary algorithm, as long as can be encrypted to code key and guarantee the first clothes Business device and second server being capable of normal communications.For example, the length of sharekey is 128bit, handled using preset algorithm Process are as follows:
1, by sharekey ring shift left 3bit.
2, the result of (1) step and 0x00112233445566778899aabbccddeeff are carried out to the place of logical AND Reason, obtained result is as sharekey_changed.
The method according to an embodiment of the present invention for generating code key can be seen that because being sent to other side using by security information Server is verified, and only in the case where being verified, and just can further generate the technological means of code key, so gram The technical problem of existing security reliability difference during generating code key has been taken, and then has reached the peace improved when generating code key The technical effect of full reliability.According to the technical solution of the present invention, security reliability when generating code key is improved, it is effective anti- The attack and eavesdropping of third party device are stopped.
Fig. 4 is the schematic diagram of the main modular of the device according to an embodiment of the present invention for generating code key, as shown in figure 4, this A kind of device 400 of generation code key of inventive embodiments specifically includes that the first generation module 401 and the second generation module 402, In:
First generation module 401, the first security information for that will include itself the first public key are sent to second server Later, the second code key returned by second server is received, wherein the second code key is to be believed by second server the first safety Breath is verified, and after being verified, and is generated by second server using the first public key;Second generation module 402 is used In after receiving the second security information comprising the second public key sent by second server, the second security information is carried out Verifying, and after being verified, the first code key of first server is generated using the second public key.
In another embodiment of the present invention, first server believes the first identity of the first public key and first server Breath is sent to certificate center, generates First Certificate using the certificate and private key of certificate center by certificate center, and First Certificate is returned Back to first server, then the first public key and First Certificate are formed the first security information by first server;Second server Second identity information of the second public key and second server is sent to certificate center, is generated by certificate center using certificate and private key Second certificate, and the second certificate is returned into second server, then second server forms the second public key and the second certificate Second security information.
In another embodiment of the present invention, the first generation module 401 is also used to: by second server certificate of utility The CertPubKey of the heart verifies the First Certificate in the first security information, in the case where being verified, determines the first peace The first public key in full information comes from first server, then generates the second code key using the first public key;Second generation module 402 Be also used to: first server certificate of utility public key verifies the second certificate in the second security information, what is be verified In the case of, determine that the second public key in the second security information comes from second server, it is secret then to generate first using the second public key Key.
In another embodiment of the present invention, first server is after generating the first code key, according to preset algorithm pair First code key is encrypted, to obtain the first encryption code key of first server;Second server is generating the second code key Later, the second code key is encrypted according to preset algorithm, to obtain the second encryption code key of second server.
In another embodiment of the present invention, further include first processing module (not shown), be used for: is secret by first Three bits of key ring shift left, the first code key and preset characters string after then moving to left carry out the processing of logical AND, with To the first encryption code key;Further include Second processing module (not shown), be used for: the second code key ring shift left three are compared Spy, the second code key and preset character string after then moving to left carry out the processing of logical AND, to obtain the second encryption code key.
From the above, it can be seen that because verified using other side's server is sent by security information, and only Have in the case where being verified, just can further generate the technological means of code key, so overcoming in the process for generating code key Present in security reliability difference technical problem, and then reach improve generate code key when security reliability technical effect. According to the technical solution of the present invention, security reliability when generating code key is improved, attacking for third party device is effectively prevented It hits and eavesdrops.
Fig. 5 is shown can be using the generation code key method of the embodiment of the present invention or the exemplary system of generation code key device Framework 500.
As shown in figure 5, system architecture 500 may include terminal device 501,502,503, network 504 and server 505. Network 504 between terminal device 501,502,503 and server 505 to provide the medium of communication link.Network 504 can be with Including various connection types, such as wired, wireless communication link or fiber optic cables etc..
User can be used terminal device 501,502,503 and be interacted by network 504 with server 505, to receive or send out Send message etc..Various telecommunication customer end applications, such as the application of shopping class, net can be installed on terminal device 501,502,503 (merely illustrative) such as the application of page browsing device, searching class application, instant messaging tools, mailbox client, social platform softwares.
Terminal device 501,502,503 can be the various electronic equipments with display screen and supported web page browsing, packet Include but be not limited to smart phone, tablet computer, pocket computer on knee and desktop computer etc..
Server 505 can be to provide the server of various services, such as utilize terminal device 501,502,503 to user The shopping class website browsed provides the back-stage management server (merely illustrative) supported.Back-stage management server can be to reception To the data such as information query request analyze etc. processing, and by processing result (such as target push information, product letter Breath -- merely illustrative) feed back to terminal device.
It is generally executed by server 505 it should be noted that generating code key method provided by the embodiment of the present invention, accordingly Ground generates code key device and is generally positioned in server 505.
It should be understood that the number of terminal device, network and server in Fig. 5 is only schematical.According to realization need It wants, can have any number of terminal device, network and server.
Below with reference to Fig. 6, it illustrates the computer systems 600 for the terminal device for being suitable for being used to realize the embodiment of the present invention Structural schematic diagram.Terminal device shown in Fig. 6 is only an example, function to the embodiment of the present invention and should not use model Shroud carrys out any restrictions.
As shown in fig. 6, computer system 600 includes central processing unit (CPU) 601, it can be read-only according to being stored in Program in memory (ROM) 602 or be loaded into the program in random access storage device (RAM) 603 from storage section 608 and Execute various movements appropriate and processing.In RAM 603, also it is stored with system 600 and operates required various programs and data. CPU 601, ROM 602 and RAM 603 are connected with each other by bus 604.Input/output (I/O) interface 605 is also connected to always Line 604.
I/O interface 605 is connected to lower component: the importation 606 including keyboard, mouse etc.;It is penetrated including such as cathode The output par, c 607 of spool (CRT), liquid crystal display (LCD) etc. and loudspeaker etc.;Storage section 608 including hard disk etc.; And the communications portion 609 of the network interface card including LAN card, modem etc..Communications portion 609 via such as because The network of spy's net executes communication process.Driver 610 is also connected to I/O interface 605 as needed.Detachable media 611, such as Disk, CD, magneto-optic disk, semiconductor memory etc. are mounted on as needed on driver 610, in order to read from thereon Computer program be mounted into storage section 608 as needed.
Particularly, disclosed embodiment, the process described above with reference to flow chart may be implemented as counting according to the present invention Calculation machine software program.For example, embodiment disclosed by the invention includes a kind of computer program product comprising be carried on computer Computer program on readable medium, the computer program include the program code for method shown in execution flow chart.? In such embodiment, which can be downloaded and installed from network by communications portion 609, and/or from can Medium 611 is dismantled to be mounted.When the computer program is executed by central processing unit (CPU) 601, system of the invention is executed The above-mentioned function of middle restriction.
It should be noted that computer-readable medium shown in the present invention can be computer-readable signal media or meter Calculation machine readable storage medium storing program for executing either the two any combination.Computer readable storage medium for example can be --- but not Be limited to --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor system, device or device, or any above combination.Meter The more specific example of calculation machine readable storage medium storing program for executing can include but is not limited to: have the electrical connection, just of one or more conducting wires Taking formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable type may be programmed read-only storage Device (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device, Or above-mentioned any appropriate combination.In the present invention, computer readable storage medium can be it is any include or storage journey The tangible medium of sequence, the program can be commanded execution system, device or device use or in connection.And at this In invention, computer-readable signal media may include in a base band or as carrier wave a part propagate data-signal, Wherein carry computer-readable program code.The data-signal of this propagation can take various forms, including but unlimited In electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be that computer can Any computer-readable medium other than storage medium is read, which can send, propagates or transmit and be used for By the use of instruction execution system, device or device or program in connection.Include on computer-readable medium Program code can transmit with any suitable medium, including but not limited to: wireless, electric wire, optical cable, RF etc. are above-mentioned Any appropriate combination.
Flow chart and block diagram in attached drawing are illustrated according to the system of various embodiments of the invention, method and computer journey The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation A part of one module, program segment or code of table, a part of above-mentioned module, program segment or code include one or more Executable instruction for implementing the specified logical function.It should also be noted that in some implementations as replacements, institute in box The function of mark can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are practical On can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Also it wants It is noted that the combination of each box in block diagram or flow chart and the box in block diagram or flow chart, can use and execute rule The dedicated hardware based systems of fixed functions or operations is realized, or can use the group of specialized hardware and computer instruction It closes to realize.
Being described in module involved in the embodiment of the present invention can be realized by way of software, can also be by hard The mode of part is realized.Described module also can be set in the processor, for example, can be described as: a kind of processor packet Include the first generation module and the second generation module.Wherein, the title of these modules is not constituted under certain conditions to the module The restriction of itself.
As on the other hand, the present invention also provides a kind of computer-readable medium, which be can be Included in equipment described in above-described embodiment;It is also possible to individualism, and without in the supplying equipment.Above-mentioned calculating Machine readable medium carries one or more program, when said one or multiple programs are executed by the equipment, makes The equipment includes: after the first security information comprising itself the first public key is sent to second server by first server, Receive by second server return the second code key, wherein the second code key be by second server to the first security information into Row verifying, and after being verified, it is generated by second server using the first public key;First server is being received by After the second security information comprising the second public key that two servers are sent, the second security information is verified, and is verifying By later, the first code key of first server being generated using the second public key.
Technical solution according to an embodiment of the present invention, because being tested using other side's server is sent by security information Card, and only in the case where being verified, just the technological means of code key can be further generated, so overcoming secret in generation The technical problem of existing security reliability difference during key, and then reach the skill for improving security reliability when generating code key Art effect.According to the technical solution of the present invention, security reliability when generating code key is improved, third party is effectively prevented and sets Standby attack and eavesdropping.
Above-mentioned specific embodiment, does not constitute a limitation on the scope of protection of the present invention.Those skilled in the art should be bright It is white, design requirement and other factors are depended on, various modifications, combination, sub-portfolio and substitution can occur.It is any Made modifications, equivalent substitutions and improvements etc. within the spirit and principles in the present invention, should be included in the scope of the present invention Within.

Claims (12)

1. a kind of method for generating code key characterized by comprising
After the first security information comprising itself the first public key is sent to second server by first server, receive by institute State the second code key of second server return, wherein second code key is by the second server to first safety Information is verified, and after being verified, and is generated by the second server using first public key;
The first server receive the second security information comprising the second public key for being sent by the second server it Afterwards, second security information is verified, and after being verified, generates first clothes using second public key First code key of business device.
2. the method according to claim 1, wherein including:
First identity information of first public key and the first server is sent to certificate center by the first server, First Certificate is generated using the certificate and private key of the certificate center by the certificate center, and the First Certificate is returned into institute First server is stated, then the first server believes first public key and First Certificate composition first safety Breath;
Second identity information of second public key and the second server is sent to the certificate by the second server Center generates the second certificate using the certificate and private key by the certificate center, and second certificate is returned to described the Two servers, then second public key and second certificate are formed second security information by the second server.
3. the method according to claim 1, wherein
It is described that first security information is verified by the second server, and after being verified, by described The step of generation second code key of first public key described in two server by utilizing includes: to utilize the card by the second server The CertPubKey at book center verifies the First Certificate in first security information, the case where being verified Under, determine that first public key in first security information comes from the first server, it is then public using described first Key generates the second code key;
It is described that second security information is verified, and after being verified, using described in second public key generation The step of first code key of first server includes: that the first server believes second safety using the CertPubKey Second certificate in breath is verified, and in the case where being verified, determines described the in second security information Two public keys come from the second server, then generate the first code key using second public key.
4. method according to claim 1-3, which is characterized in that
The first server carries out at encryption first code key according to preset algorithm after generating first code key Reason, to obtain the first encryption code key of the first server;
The second server adds second code key according to the preset algorithm after generating second code key Close processing, to obtain the second encryption code key of the second server.
5. according to the method described in claim 4, it is characterized in that, described add first code key according to preset algorithm The step of close processing includes:
By described first code key ring shift left, three bits, first code key after then moving to left and preset characters string into The processing of row logical AND, to obtain the first encryption code key;
Described the step of second code key is encrypted according to the preset algorithm includes:
Second code key and the preset word by described second code key ring shift left, three bits, after then moving to left Symbol string carries out the processing of logical AND, to obtain the second encryption code key.
6. a kind of device for generating code key characterized by comprising
First generation module, for that will include after the first security information of itself the first public key is sent to second server, to connect Receive the second code key returned by the second server, wherein second code key is by the second server to described First security information is verified, and after being verified, and is generated by the second server using first public key;
Second generation module, for receiving the second security information comprising the second public key sent by the second server Later, second security information is verified, and after being verified, generates described first using second public key First code key of server.
7. according to the method described in claim 6, it is characterised by comprising:
First identity information of first public key and the first server is sent to certificate center by the first server, First Certificate is generated using the certificate and private key of the certificate center by the certificate center, and the First Certificate is returned into institute First server is stated, then the first server believes first public key and First Certificate composition first safety Breath;
Second identity information of second public key and the second server is sent to the certificate by the second server Center generates the second certificate using the certificate and private key by the certificate center, and second certificate is returned to described the Two servers, then second public key and second certificate are formed second security information by the second server.
8. according to the method described in claim 6, it is characterized in that,
First generation module is also used to: by the second server using the CertPubKey of the certificate center to described the The First Certificate in one security information is verified, and in the case where being verified, is determined in first security information First public key come from the first server, then using first public key generate the second code key;
Second generation module is also used to: the first server is using the CertPubKey in second security information Second certificate verified, in the case where being verified, determine that described second in second security information is public Key comes from the second server, then generates the first code key using second public key.
9. according to the described in any item methods of claim 6-8, which is characterized in that
The first server carries out at encryption first code key according to preset algorithm after generating first code key Reason, to obtain the first encryption code key of the first server;
The second server adds second code key according to the preset algorithm after generating second code key Close processing, to obtain the second encryption code key of the second server.
10. according to the method described in claim 9, being used for it is characterized in that, further include first processing module:
By described first code key ring shift left, three bits, first code key after then moving to left and preset characters string into The processing of row logical AND, to obtain the first encryption code key;
Further include Second processing module, be used for:
Second code key and the preset word by described second code key ring shift left, three bits, after then moving to left Symbol string carries out the processing of logical AND, to obtain the second encryption code key.
11. a kind of electronic equipment characterized by comprising
One or more processors;
Storage device, for storing one or more programs,
When one or more of programs are executed by one or more of processors, so that one or more of processors are real Now such as method as claimed in any one of claims 1 to 5.
12. a kind of computer-readable medium, is stored thereon with computer program, which is characterized in that described program is held by processor Such as method as claimed in any one of claims 1 to 5 is realized when row.
CN201810145432.XA 2018-02-12 2018-02-12 Method and device for generating secret key Active CN110166226B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810145432.XA CN110166226B (en) 2018-02-12 2018-02-12 Method and device for generating secret key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810145432.XA CN110166226B (en) 2018-02-12 2018-02-12 Method and device for generating secret key

Publications (2)

Publication Number Publication Date
CN110166226A true CN110166226A (en) 2019-08-23
CN110166226B CN110166226B (en) 2023-06-27

Family

ID=67635116

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810145432.XA Active CN110166226B (en) 2018-02-12 2018-02-12 Method and device for generating secret key

Country Status (1)

Country Link
CN (1) CN110166226B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113497778A (en) * 2020-03-18 2021-10-12 北京同邦卓益科技有限公司 Data transmission method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299667A (en) * 2008-06-05 2008-11-05 华为技术有限公司 Authentication method, system, client equipment and server
US20110022835A1 (en) * 2009-07-27 2011-01-27 Suridx, Inc. Secure Communication Using Asymmetric Cryptography and Light-Weight Certificates
CN102624528A (en) * 2012-03-02 2012-08-01 中国人民解放军总参谋部第六十一研究所 IBAKA (Identity Based Authentication and Key Agreement) method
CN104579694A (en) * 2015-02-09 2015-04-29 浙江大学 Identity authentication method and system
CN104753682A (en) * 2015-04-03 2015-07-01 北京云安世纪科技有限公司 Generating system and method of session keys
CN105049434A (en) * 2015-07-21 2015-11-11 中国科学院软件研究所 Identity authentication method and encryption communication method under peer-to-peer network environment
WO2016033610A1 (en) * 2014-08-29 2016-03-03 Visa International Service Association Methods for secure cryptogram generation
CN105471845A (en) * 2015-11-16 2016-04-06 数据通信科学技术研究所 Communication method and communication system for preventing man-in-the-middle attack

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299667A (en) * 2008-06-05 2008-11-05 华为技术有限公司 Authentication method, system, client equipment and server
US20110022835A1 (en) * 2009-07-27 2011-01-27 Suridx, Inc. Secure Communication Using Asymmetric Cryptography and Light-Weight Certificates
CN102624528A (en) * 2012-03-02 2012-08-01 中国人民解放军总参谋部第六十一研究所 IBAKA (Identity Based Authentication and Key Agreement) method
WO2016033610A1 (en) * 2014-08-29 2016-03-03 Visa International Service Association Methods for secure cryptogram generation
CN104579694A (en) * 2015-02-09 2015-04-29 浙江大学 Identity authentication method and system
CN104753682A (en) * 2015-04-03 2015-07-01 北京云安世纪科技有限公司 Generating system and method of session keys
CN105049434A (en) * 2015-07-21 2015-11-11 中国科学院软件研究所 Identity authentication method and encryption communication method under peer-to-peer network environment
CN105471845A (en) * 2015-11-16 2016-04-06 数据通信科学技术研究所 Communication method and communication system for preventing man-in-the-middle attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113497778A (en) * 2020-03-18 2021-10-12 北京同邦卓益科技有限公司 Data transmission method and device
CN113497778B (en) * 2020-03-18 2023-05-12 北京同邦卓益科技有限公司 Data transmission method and device

Also Published As

Publication number Publication date
CN110166226B (en) 2023-06-27

Similar Documents

Publication Publication Date Title
CN101414909B (en) System, method and mobile communication terminal for verifying network application user identification
CN100477833C (en) Authentication method
US9374360B2 (en) System and method for single-sign-on in virtual desktop infrastructure environment
CN110492990A (en) Private key management method, apparatus and system under block chain scene
CN106576043A (en) Virally distributable trusted messaging
CN107248984A (en) Data exchange system, method and apparatus
CN110149354A (en) A kind of encryption and authentication method and device based on https agreement
CN108683674A (en) Verification method, device, terminal and the computer readable storage medium of door lock communication
CN104753675B (en) Information Authentication method, electric paying method, terminal, server and system
CN106341233A (en) Authentication method for client to log into server, device, system and electronic device
CN108880812A (en) The method and system of data encryption
CN109981287A (en) A kind of code signature method and its storage medium
EP4350556A1 (en) Information verification method and apparatus
CN111784887A (en) Authorization releasing method, device and system for user access
CN112308236B (en) Method, device, electronic equipment and storage medium for processing user request
CN109063450A (en) A kind of control method of secure storage medium, secure storage medium and system
CN110120952A (en) A kind of total management system single-point logging method, device, computer equipment and storage medium
CN105791277A (en) Identity authentication method
CN110493239A (en) The method and apparatus of authentication
CN109743161A (en) Information ciphering method, electronic equipment and computer-readable medium
CN112765642A (en) Data processing method, data processing apparatus, electronic device, and medium
Putra et al. S-Mbank: Secure mobile banking authentication scheme using signcryption, pair based text authentication, and contactless smart card
CN116226289A (en) Electronic certificate management method, device, equipment and storage medium based on blockchain
CN108305071A (en) A kind of method and apparatus of enquiring digital currency managing detailed catalogue
CN109302442A (en) A kind of data storage method of proof and relevant device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant