CN111414640B - Key access control method and device - Google Patents

Key access control method and device Download PDF

Info

Publication number
CN111414640B
CN111414640B CN202010092581.1A CN202010092581A CN111414640B CN 111414640 B CN111414640 B CN 111414640B CN 202010092581 A CN202010092581 A CN 202010092581A CN 111414640 B CN111414640 B CN 111414640B
Authority
CN
China
Prior art keywords
application
platform
information
key
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010092581.1A
Other languages
Chinese (zh)
Other versions
CN111414640A (en
Inventor
方习文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202010092581.1A priority Critical patent/CN111414640B/en
Publication of CN111414640A publication Critical patent/CN111414640A/en
Priority to PCT/CN2020/132720 priority patent/WO2021159818A1/en
Application granted granted Critical
Publication of CN111414640B publication Critical patent/CN111414640B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a secret key access control method and device, relates to the technical field of computers, and is used for enabling a secret key use request of an application with a legal source to pass verification after the secret key is transmitted between different operating systems or different computer equipment. Applied to a target computer device comprising a first application, the method comprising: a key use request is generated based on a first application. The key use request comprises a first secret key identification and signature information to be verified of the first application. Reference signed information of the first application is obtained. The reference signed information of the first application is generated based on the single-platform information and the first cross-platform identification of the first application, and the signature information to be verified of the first application is verified according to the first secret key identification and the reference signed information of the first application to obtain a verification result. The verification result is used for indicating whether the key use request is verified.

Description

Key access control method and device
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for controlling key access.
Background
With the continuous development of terminal technologies, more and more Applications (APPs) are developed and installed for use. To use security, different applications use different keys to encrypt or decrypt the application's data. A key can only be used by the application to which the key corresponds. Before an application uses a key, a key use request needs to be sent to a key management module, and the key management module verifies the key use request of the application through a key access control method.
Currently, a key access control method includes: the key management module determines, according to identification information (such as a User Identification (UID) of the application or a combination of a packet name and a signature of the application in the operating system where the application is located) of the application in the operating system where the application is located, an application to which a key requested by the key use request belongs, and if the application that sent the key use request is identical to the application to which the key requested by the key use request belongs, the key use request passes verification.
When a user has multiple computer devices, there is a need for key transmission, for example: an application needs to transmit its keys across multiple computer devices to encrypt or decrypt the application's data across multiple devices. For another example: a home application may need to transmit a key of the home application on multiple devices to control an internet of things (IOT) device by signing on the multiple devices using the key of the application.
When the key management module determines, according to the UID of the application, the application to which the key requested by the key use request belongs, after the key of the application is transmitted from the source computer device to the target computer device, since the UIDs applied in different computer devices are different, in the target computer device, the key management module cannot determine to which application the key requested by the key use request belongs, and the key use request of the application cannot pass the authentication. Illustratively, the UID of application 1 in the source computer device is UID1, the UID of application 1 in the destination computer device is UID2, and key 1 is the key of the application whose UID is UID 1. After the key 1 is transferred to the target computer device, the application 1 requests the key 1 in the target computer device, and the target computer device cannot identify the UID1, and therefore, the key use request of the application 1 requesting the key 1 in the target computer device will not be authenticated.
When the key management module determines, according to a combination of a package name and a signature of an application, an application to which a key requested by a key use request belongs, since the package name and the signature of the application are different in different operating systems, if the operating systems used by the source computer device and the target computer device are different, in the target computer device, the key management module cannot determine to which application the key requested by the key use request belongs, and the key use request of the application cannot pass authentication. Illustratively, the package name and signature of the application 1 in the source computer device are package name 1 and signature 1, the package name and signature of the application 1 in the destination computer device are package name 2 and signature 2, and the key 1 is the key of the application with package name 1 and signature 1. After the key 1 is transmitted to the target computer device, the application 1 requests the key 1 in the target computer device, and the target computer device cannot identify the package name 1 and the signature 1, so that the key use request of the application 1 requesting the key 1 in the target computer device cannot pass the verification.
Therefore, a new key access control method needs to be provided.
Disclosure of Invention
Embodiments of the present application provide a method and an apparatus for controlling key access, so that after a key is transmitted between different computer devices or different operating systems, a key usage request of an application whose source is legal can still be authenticated.
In order to achieve the above purpose, the embodiments of the present application adopt the following technical solutions:
in a first aspect, a key access control method is provided and applied to a target computer device, where the target computer device includes a plurality of applications, and the plurality of applications includes a first application. The method comprises the following steps: a key use request is generated based on a first application. The key use request comprises a first secret key identification and signature information to be verified of the first application. Acquiring reference signed information of the first application according to the identifier of the first application and the first secret key identifier, wherein the reference signed information of the first application is generated based on the single-platform information of the first application and the first cross-platform identifier, and the single-platform information of the first application comprises the single-platform identifier of the first application in an operating system of the target computer device. And verifying the signature information to be verified of the first application according to the first secret key identifier and the reference signed information of the first application to obtain a verification result, wherein the verification result is used for indicating whether the secret key use request passes the verification. In this way, the target computer device verifies the signature information to be verified in the key use request by referring to the signed information, the cross-platform identifier of the application in the signed information can be referred to determine the application to which the key indicated by the key identifier belongs, and the single-platform information of the application comes from the target computer device, so that the security can be increased. The method and the device solve the problem that in the prior art, after the secret key is transmitted among the computer devices of different operating systems, the target computer device cannot determine the application to which the secret key indicated by the secret key identification belongs according to the single platform information of the application, so that the secret key use request of the application with a legal source cannot pass the verification.
According to the first aspect, in a first possible implementation manner of the first aspect, acquiring reference signed information of the first application according to the identifier of the first application and the first secret key identifier includes: the single platform information of the first application is obtained using the identity of the first application. And acquiring a first cross-platform identifier of the first application corresponding to the first secret key identifier from the corresponding relation between each secret key identifier in the multiple secret key identifiers and the cross-platform identifier of the application according to the first secret key identifier. And acquiring reference signed information of the first application based on the single-platform information and the first cross-platform identification of the first application.
According to the first aspect and the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the obtaining of the reference signed information of the first application based on the single-platform information and the first cross-platform identifier of the first application includes: and generating reference signed information of the first application by adopting a hash algorithm based on the single-platform information and the first cross-platform identification of the first application. In this way, the security of key access control can be increased.
According to the first aspect to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the obtaining reference signed information of the first application based on the single-platform information and the first cross-platform identifier of the first application includes: and according to the single-platform information and the first cross-platform identification of the first application, from the corresponding relation between each piece of reference signed information in the plurality of pieces of reference signed information and the first information of the application, using the reference signed information corresponding to the single-platform information and the first cross-platform identification of the first application as the reference signed information of the first application. The first information of the application comprises single-platform information of the application and cross-platform identification of the application. Therefore, the first information of the application and the reference signed information of the application are stored, and the reference signed information of the application is obtained in a query mode, so that the computing resources of the computer equipment can be saved.
According to the first aspect to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the single-platform information of the first application further includes: at least one of an application signature of the first application and a single-platform signature public key of the first application. The application signature of the first application is information obtained by performing signature operation on the installation package information of the first application. The single platform signature public key of the first application is used to verify an application signature of the first application. In this way, the security of key access control can be increased.
According to the first aspect to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, verifying signature information to be verified of the first application according to the first secret key identifier and the reference signed information of the first application includes: according to the first secret key identification, obtaining a verification signature public key of the first application from the corresponding relation between the plurality of secret key identifications and each secret key identification and the verification signature public key; and verifying the signature information to be verified of the first application according to the verification signature public key of the first application and the reference signed information of the first application.
According to the first aspect to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the method further includes: and generating a corresponding relation between the second secret key identifier and the first cross-platform identifier. Wherein the second secret key identification is a different key identification of the first application than the first secret key identification. And sending the corresponding relation between the second secret key identifier and the first cross-platform identifier to a second computer device, wherein the second computer device is a computer device different from the target computer device. In this way, the key usage request of the first application containing the second secret key identification can also be authenticated in the second computer device.
According to the first aspect to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the method further includes: and generating the corresponding relation between the second secret key identification and the verification signature public key of the first application. And sending the corresponding relation between the second secret key identification and the verification signature public key of the first application to the second computer equipment.
In a second aspect, a key access control method is provided, which is applied to a target computer device, wherein the target computer device comprises a plurality of applications, and the plurality of applications comprise a first application; the method comprises the following steps: generating a key use request based on a first application; the key use request includes a first secret key identification. And acquiring a first cross-platform identifier of the first application corresponding to the first secret key identifier from the corresponding relation between each secret key identifier in the multiple secret key identifiers and the cross-platform identifier of the application according to the first secret key identifier. And acquiring single platform information of the first application. The single platform information of the first application includes a single platform identification of the first application in an operating system of the target computer device. And acquiring a second cross-platform identifier corresponding to the single-platform information of the first application from the corresponding relation between the single-platform information of each application in the plurality of applications and the cross-platform identifier according to the single-platform information of the first application. And if the first cross-platform identifier is the same as the second cross-platform identifier, determining that the key use request passes the verification. In this way, the application to which the key indicated by the first secret key identifier belongs is determined according to the cross-platform identifier of the application, so as to overcome the problem that in the prior art, after the key is transmitted between computer devices of different operating systems, the target computer device cannot determine the application to which the key indicated by the key identifier belongs according to single-platform information, and cannot pass the key use request of the application with a legal source through verification.
According to a second aspect, in a first possible implementation manner of the second aspect, the method further includes: and generating a corresponding relation between the second secret key identification and the first cross-platform identification. Wherein the second secret key identification is a different secret key identification of the first application than the first secret key identification. And sending the corresponding relation between the second secret key identifier and the first cross-platform identifier to a second computer device, wherein the second computer device is a computer device different from the target computer device. In this way, the key usage request of the first application containing the second secret key identification can also be authenticated in the second computer device.
In a third aspect, a key access control method is provided, which is applied to a target computer device, wherein the target computer device comprises a plurality of applications, and the plurality of applications comprise a first application; the method comprises the following steps: a key use request is generated based on a first application. The key use request comprises a first secret key identification and signature information to be verified of the first application. And acquiring reference signed information of the first application according to the identifier of the first application and the first secret key identifier, wherein the reference signed information of the first application is generated based on the first cross-platform identifier. And verifying the signature information to be verified of the first application according to the first secret key identifier and the reference signed information of the first application to obtain a verification result, wherein the verification result is used for indicating whether the secret key using request passes the verification. In this way, the target computer device verifies the signature information to be verified in the key use request by referring to the signed information, and the cross-platform identifier of the application in the signed information can be referred to determine the application to which the key indicated by the key identifier belongs. The method and the device solve the problem that in the prior art, after the secret key is transmitted among computer devices of different operating systems, the target computer device cannot determine the application to which the secret key indicated by the secret key identification belongs according to the single platform information of the application, and cannot pass the verification of the secret key use request of the application with a legal source.
In a fourth aspect, a key access control device is provided, configured to perform the method provided in any one of the possible implementation manners provided in the first aspect to the third aspect. The key access control device may be a computer device or chip or the like.
In one possible design, the key access control apparatus includes modules for performing the method provided in any one of the possible implementations provided in the first to third aspects.
In one possible design, the key access control apparatus includes a memory for storing computer program instructions and a processor for calling the computer program instructions to execute the method provided in any one of the possible implementation manners provided in the first aspect to the third aspect.
In a fifth aspect, a computer-readable storage medium, such as a computer-non-transitory readable storage medium, is provided. Having stored thereon a computer program (or instructions) which, when run on a computer, causes the computer to perform any of the methods provided by any of the possible implementations of the first to third aspects described above.
A sixth aspect provides a computer program product enabling the carrying out of any one of the methods provided in any one of the possible implementations of the first to third aspects, when the computer program product runs on a computer.
In a seventh aspect, a chip is provided, which includes: and the processor is used for calling and running the computer program stored in the memory from the memory and executing any method provided by any possible implementation manner of the first aspect to the third aspect.
It is understood that any one of the computer devices, computer storage media, computer program products or chips provided above can be applied to the corresponding methods provided above, and therefore, the beneficial effects achieved by the methods can refer to the beneficial effects in the corresponding methods, and are not described herein again.
Drawings
FIG. 1 is a schematic diagram of a system architecture suitable for use with embodiments of the present application;
FIG. 2 is a software architecture diagram of a computer device that may be suitable for use with embodiments of the present application;
FIG. 3 is a schematic diagram of a computing device to which the present disclosure may be applied;
fig. 4 is a schematic flowchart of a key access control method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of another key access control method according to an embodiment of the present application;
fig. 6 is a flowchart illustrating a method for obtaining a key record according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a key access control apparatus according to an embodiment of the present application.
Detailed Description
Fig. 1 is a schematic diagram of a system architecture applicable to the embodiment of the present application, where the system shown in fig. 1 includes an application server 201 and a plurality of computer devices 202. Application server 201 of fig. 1 may be connected to a plurality of computer devices 202 (e.g., computer device 1 and computer device 2). The application server 201 is a server corresponding to an application in the computer device 202. The application server 201 may be a WeChat Server, QQ Server, or the like.
Fig. 2 is a diagram showing a software configuration of a computer device applicable to the embodiment of the present application. In fig. 2, a key management module 20 manages keys of a plurality of applications 10. The key management module 20 may access the key record in the storage module 30 and authenticate the key usage request of the application 10 to implement management of access of the application 10 to the key record.
Fig. 3 is a schematic structural diagram of a computing device 100 to which the technical solution provided by the present application is applied. In one example, from a hardware architecture perspective, the application server 201 and the computer device 202 in fig. 1 may be the computing apparatus 100 in fig. 3. The computing device 100 shown in fig. 3 may include at least one processor 101, communication lines 102, memory 103, and at least one communication interface 104.
The processor 101 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more ics for controlling the execution of programs in accordance with the present disclosure.
The communication link 102 may include at least one path, such as a data bus, and/or a control bus, for communicating information between the aforementioned components (e.g., the at least one processor 101, the communication link 102, the memory 103, and the at least one communication interface 104).
Communication interface 104, using any transceiver or like device, is used to communicate with other devices or communication networks, such as Wide Area Networks (WAN), Local Area Networks (LAN), etc.
The memory 103 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 103 may be separate and coupled to the processor 101 via a communication link 102. The memory 103 may also be integrated with the processor 101. The memory 103 provided by the embodiment of the present application generally includes a nonvolatile memory. The memory 103 is used for storing computer instructions for executing the solution of the present application, and is controlled by the processor 101 to execute. The processor 101 is configured to execute computer instructions stored in the memory 103, thereby implementing the methods provided in the embodiments of the present application described below.
The storage 103 includes a memory and a hard disk.
Optionally, the computer instructions in the embodiments of the present application may also be referred to as application program code or system, which is not specifically limited in the embodiments of the present application.
In one embodiment, the computing device 100 may include a plurality of processors, and each of the processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In particular implementations, computing device 100 may also include an output device 105 and/or an input device 106, as an embodiment. The output device 105 is in communication with the processor 101 and may display information in a variety of ways. For example, the output device 105 may be a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display device, a Cathode Ray Tube (CRT) display device, a projector (projector), or the like. The input device 106 is in communication with the processor 101 and may receive user input in a variety of ways. For example, the input device 106 may be a mouse, a keyboard, a touch screen device, or a sensing device, among others.
It should be noted that the computing apparatus shown in fig. 3 is only an example, and does not limit the computer device or the application server to which the embodiments of the present application are applicable. In actual implementation, the computer device or application server may include more or fewer devices or components than shown in fig. 3.
In one example, in conjunction with fig. 3, the functions of key management module 20 in fig. 2 may be implemented by processor 101 in fig. 3 executing a program in memory 103. The memory module 30 in fig. 2 may be the memory 103 in fig. 3.
Hereinafter, some terms referred to in the present application are explained:
1) platform, and method for manufacturing the same
A platform, which is an operating system, such as an apple operating system (iOS) or an android operating system.
2) Single platform identification of application and cross-platform identification of application
The single-platform identification of the application is identification information applied in a certain operating system. The single platform identification of the application may be defined by the developer of the application.
For example, the single platform identification of the WeChat in the android operating system can be at least one of a package name of the WeChat in the android system (e.g., com. content. xin) or a signature of the WeChat in the android system. The single platform identification of the WeChat in the apple operating system can be at least one of a package name (e.g., com. event. mm) of the WeChat in the apple operating system or a signature of the WeChat in the apple operating system. An application has a unique single platform id in one platform and different single platform ids in different platforms.
The cross-platform identification of the application is unified identification information applied to different operating systems. The cross-platform identification of the application may be defined by the developer of the application. For example: the cross-platform identification of the Weixin can be weixin, and the cross-platform identification of the microblog can be weibo and the like. An application has a unique cross-platform identification in different operating systems.
3) Secret key
A key is secret information used to perform cryptographic applications such as encryption, decryption, integrity verification, and the like. In symmetric cryptography (or key cryptography), the encryption key and the decryption key are the same, and thus the keys need to be kept secret. In public key cryptography (or asymmetric cryptography), an encryption key and a decryption key are different: one is usually public, called the public key (e.g., a verification signature public key); the other is secret and is called a private key (e.g., a private signature key). For example, the encryption key is a public key and the decryption key is a private key. Alternatively, the encryption key is a private key and the decryption key is a public key.
4) And a signature
Signature is a cryptographic application in public key cryptography for authentication or data integrity verification. In the embodiment of the application, the signature is used for performing identity verification on the key use request.
The signature process may include: and the application or the application server executes signature operation on the signed information of the application by using the signature private key of the application to obtain the signature information of the application.
5) Signed information of application
The signed information of the application refers to information to be subjected to signature operation.
The method for acquiring the signed information is not limited, for example, the computer device may use the first algorithm to calculate the cross-platform identifier of the application and the single-platform information of the application, so as to obtain the signed information.
In one implementation, the first algorithm may be an algorithm that combines the cross-platform identifier of the application and the single-platform information of the application to obtain the character string information, and uses the character string information as the signed information. The combination of the above-described combinations may be in various forms, and the present application is not limited to this. In one implementation, the combination may be to connect the cross-platform identification of the application with the single-platform information of the application. The application does not limit the order of cross-platform identification of the application and single-platform information connection of the application. In another implementation, the combination may be to connect the cross-platform identifier of the application, the single-platform information of the application, and a predefined string (e.g., "# 123 ×"), and the present application does not limit the order of connecting the cross-platform identifier of the application, the single-platform information of the application, and the predefined string.
In another implementation manner, the first algorithm may be an algorithm that "combines the cross-platform identifier of the application and the single-platform information of the application to obtain the string information, and performs hash processing on the string information by using a hash algorithm to obtain a hash value corresponding to the string information, and uses the hash value as the signed information". The hash algorithm may include, but is not limited to, SHA256 or SHA1, etc.
6) Signature information of application
The applied signature information is obtained by performing signature operation on the applied signed information by using a signature private key according to a signature algorithm. In the embodiment of the application, the application signature and the signature information to be verified of the application are involved.
The application signature of the application is information obtained by performing signature operation on first signed information of the application by using a first signature private key according to a first signature algorithm. The first signed information includes installation package information for the application. The application signature of an application is the information that the application generates when generating the installation package file before installation on the platform. The application signature of an application is used to reduce the risk of tampering with the installation files of the application. If any file in the installation package is changed when the application is installed compared to the file in the first signed information of the application, the application fails to verify and the application will not be installed successfully.
The applied signature information to be verified is obtained by performing signature operation on the applied second signed information by using a second signature private key according to a second signature algorithm. The signature information to be verified of the application is used for verifying whether the single-platform information of the application corresponds to the cross-platform identification of the application, so that the security of key management of the cross-platform application is enhanced. In this case, the second signed information includes: the method comprises the following steps of identifying the cross-platform of an application and single-platform information of the application, wherein the single-platform information of the application comprises the following steps: the single platform identifier of the application, optionally, the single platform information of the application includes an application signature of the application and a single platform signature public key of the application. The single platform information of the application comprises the application signature of the application, so that the security of key management can be improved. The single-platform signature public key of the application is used for verifying the application signature of the application.
The signature information to be verified of the application may be preset in the computer device, for example, preset in the computer device by an application developer, or the signature information to be verified of the application may be issued to the computer device by the application server. The application server may include a signature module, and the signature module is configured to perform a signature operation on the second signed information of the application using the second private signature key according to a second signature algorithm, to obtain signature information to be verified of the application.
The first signature algorithm and the second signature algorithm may be the same or different. As an example, either of the first signature algorithm and the second signature algorithm may be an asymmetric encryption algorithm (RSA) or an Elliptic Curve Digital Signature Algorithm (ECDSA), or the like.
The first signature private key and the second signature private key may be the same or different, and the application does not limit this.
7) And a verification algorithm
The verification algorithm is an algorithm for judging whether the signature information to be verified is correct or not by inputting the signature information to be verified, the verification signature public key and the signed information into the verification algorithm.
8) Other terms
In the embodiments of the present application, the words "exemplary" or "such as" are used herein to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "such as" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present relevant concepts in a concrete fashion.
In the embodiments of the present application, "at least one" means one or more. "plurality" means two or more.
In the embodiment of the present application, "and/or" is only one kind of association relationship describing an association object, and indicates that three types of relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter associated objects are in an "or" relationship.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that, the computer device stores the cross-platform identifier of the application, the signature information to be verified of the application, the single-platform information of the application, the first signature private key of the application, the second signature private key of the application, and the second verification signature public key corresponding to the second signature private key. The following description will be given by taking an example in which the correspondence relationship between the key id and the cross-platform id of the application, the correspondence relationship between the key id and the second signed information, the correspondence relationship between the key id and the second verification signature public key, and the correspondence relationship between the key id and the single-platform information of the application are embodied in the form of a key record.
There is a need for key transmission when a user has multiple computer devices. The key transmission means: the source computer device transmits a key record of an application stored in the source computer device to the destination computer device, which stores the key record of the application. Wherein the key record includes: a key identification, a key value, and a cross-platform identification of an application. Optionally, the key record may further include the second signed information, the second verification signature public key, and the single platform information of the application.
One key record includes one key identification and different key records include different key identifications. The cross-platform identification of the application in the key record is used for characterizing the application to which the key indicated by the key identification included in the key record belongs. Different data generated by an application can be encrypted or decrypted by using different keys, so that one application can correspond to one or more key records. The cross-platform identities of the applications in the key records are the same, the second verification signature public keys in the key records may be the same or different, and the second signed information in the key records may be the same or different.
The embodiment of the present application does not limit the manner of obtaining the key record stored in the computer device, and in one implementation manner, the key record is preset in a storage module of the computer device. In another implementation, the key record is transmitted from another computer device (e.g., the key record in the destination computer device is from the source computer device). In another implementation, the computer device obtains the key record by the method in embodiment two.
Illustratively, key records for multiple applications in a computer device are shown in table 1 below.
TABLE 1
Figure BDA0002384195400000081
Based on the example in table 1, in the key record with the key id of key id2, the cross-platform id of the application is the cross-platform id of application 1, and the second verification signature public key of application 1 is the second verification signature public key 2. The second signed information of application 1 is the second signed information of application 1. The single platform information of the application 1 is the single platform information of the application 1.
In the first embodiment, the technical solution of the key access control method according to the present application is described by taking an example that the key record in the target computer device is obtained by being transmitted by the source computer device. The operating system of the target computer device may be the same as or different from the operating system of the source computer device.
Example one
Fig. 4 is a schematic flowchart of a key access control method according to an embodiment of the present application. Illustratively, the present embodiment may be applied to the computer device shown in fig. 2. The method shown in fig. 4 may include the steps of:
s100: the application 1 generates a key use request. The key use request is for the application 1 to request a service from the key management module. Where application 1 is any one of the applications in the target computer device. The key use request comprises: the signature information to be verified and the first secret key identification of the application 1.
Wherein the service requested by the key use request comprises: and acquiring a first secret key value, encrypting the data of the application 1 by using the first secret key value, or performing signature operation on third signed information of the application 1 by using the first secret key value according to a third signature algorithm, and the like. Wherein, the third signed information may be the information that needs to be signed in the application 1. The third signed information may be the same as or different from the second signed information. Of course, the algorithm service based on the key requested by the key use request may also be other services, which is not limited in this embodiment of the present application.
When the service requested by the key use request is to obtain the first secret key value, the key use request may include: the first secret key identifies the signature information to be verified for the application 1. When the service requested by the key use request is to encrypt data of the application 1 using the first secret key value, the key use request may include: the first secret key identification, the signature information to be verified of the application 1, the identification information of the encryption algorithm and the data of the application 1. When the service requested by the key use request is a signature operation on the third signed information of the application 1 by using the first secret key value according to the third signature algorithm, the key use request may include: the first secret key identifier, the signature information to be verified of the application 1, the identifier information of the third signature algorithm, and the third signed information of the application 1.
The identifier of the application 1 is an identifier that can be recognized by an operating system in which the application 1 is located, and is used for the key management module to obtain the single-platform information of the application 1 through a function provided by the operating system. The identifier of the application 1 is different from the single-platform identifier of the application 1 and the cross-platform identifier of the application 1. The key value corresponding to the first secret key identifier is the first secret key value.
The embodiment of the present application is not limited to the triggering condition for the application 1 to generate the key use request, and for example, the application 1 generates the key use request when data of the application 1 needs to be encrypted. The service requested by the key use request is to encrypt data of the application 1 using a first secret key value.
S101: the application 1 sends the key use request to the key management module.
S102: and the key management module acquires the first single platform information of the application 1 according to the identifier of the application 1. Wherein, the first single platform information is the single platform information of the application 1 in the operating system of the target computer device. The target computer device where the application 1 is located has preset single-platform information of a plurality of applications.
For example, in the android system, the key management module uses a Package Management Service (PMS) in the platform to obtain an identifier of the application 1, and uses the identifier of the application 1 to obtain single-platform information of the application corresponding to the identifier of the application 1, and uses the obtained single-platform information of the application as first single-platform information of the application 1.
S103: the key management module obtains a cross-platform identifier in the key record where the first secret key identifier is located, and uses the cross-platform identifier as the first cross-platform identifier of the application 1.
S104: and the key management module acquires the reference signed information of the application 1 according to the first single-platform information of the application 1 and the first cross-platform identification of the application 1.
The embodiment of the present application does not limit a specific implementation manner in which the key management module obtains the reference signed information of the application 1 according to the first single-platform information of the application 1 and the first cross-platform identifier of the application 1.
In one implementation, the key management module obtains the first single-platform information of the application 1 and the reference signed information corresponding to the first cross-platform identifier of the application 1 from the stored correspondence between the first single-platform information of each of the plurality of applications, the cross-platform identifier of the application, and the reference signed information, and uses the obtained reference signed information as the reference signed information of the application 1.
In another implementation, the reference signed information of the application 1 may be obtained by:
the method comprises the following steps: from the identity of the application 1, a first algorithm is determined. Wherein the first algorithm is an algorithm employed in generating the second signed information of the application 1, which is predefined in the computer device.
Specifically, the computer device prestores a correspondence between an identifier of each of the plurality of applications and identifier information of the first algorithm, and the key management module may obtain, from the correspondence between the identifier of the application and the identifier information of the first algorithm, identifier information of the first algorithm corresponding to the identifier of the application 1, and use the first algorithm corresponding to the obtained identifier information of the first algorithm as the first algorithm of the application 1.
Step two: generating signed information using the first algorithm of the application 1, the first cross-platform identification of the application 1, and the first single-platform information of the application 1, and using the generated signed information as reference signed information of the application 1.
It should be noted that the above-mentioned manner of obtaining the reference signed information of the application 1 may be used when the operating system of the source computer device is the same as or different from the operating system of the target computer device; when the operating system of the source computer device is the same as that of the target computer device, that is, the first single platform information of the application 1 is the same as the second single platform information of the application 1, where the second single platform information of the application 1 identifies, for the first secret key, the single platform information of the application 1 in the secret key record in which the first secret key is located (that is, the secret key record sent by the source computer device to the target computer device). The key management module may further obtain second signed information of the application in the key record in which the first secret key identifier is located, and use the obtained second signed information of the application as reference signed information of the application 1. In this way, computational resource overhead is facilitated to be conserved.
S105: and the secret key management module acquires a second verification signature public key corresponding to the first secret key identifier according to the first secret key identifier, and takes the acquired second verification signature public key as a second verification signature public key of the application 1.
Specifically, the key management module obtains the second verification signature public key in the key record where the first secret key identifier is located, and uses the obtained second verification signature public key as the second verification signature public key of the application 1. The key record includes a first secret key identifier, a first secret key value, a cross-platform identifier of the application 1, and a second verification signature public key of the application 1. The key record may further include the second signed information of the application 1 and the single platform information of the application 1.
S106: and the key management module acquires a verification algorithm of the second signature algorithm of the application 1 according to the identifier of the application 1.
Specifically, the key management module defines a verification algorithm of the second signature algorithm of the application 1.
It should be noted that, in the embodiment of the present application, the execution order of S102 and S103 is not limited, and for example, S102 may be executed after S103 is executed. In the embodiment of the present application, the execution sequence of S104, S105, and S106 is not limited, and for example, after S105 is executed, S106 is executed, and then S104 is executed.
S107: the secret key management module obtains a verification result of the signature information to be verified of the application 1 by adopting a verification algorithm of the second signature algorithm of the application 1 according to the second verification signature public key of the application 1 and the reference signed information of the application 1, wherein the verification result comprises: verification passed or verification failed.
Specifically, the key management module may input the signature information to be verified of the application 1, the second verification signature public key of the application 1, and the reference signed information of the application 1 into a verification algorithm of the second signature algorithm of the application 1, to obtain a verification result of the signature information to be verified of the application 1. And the second signature algorithm is a signature algorithm adopted when the signature information to be verified is obtained.
If the verification result is that the verification is passed, it indicates that the key use request of the application 1 is legal. Subsequently, the key management module provides the application 1 with the service requested by the key use request, and sends the result to the application 1. Specifically, when the service requested by the secret key use request is to obtain a first secret key value, the secret key management module obtains a secret key value in a secret key record where the first secret key identifier is located, uses the obtained secret key value as the first secret key value, and sends the secret key value to the application 1. When the service requested by the key use request is to encrypt the data of the application 1 by using a secret key value, the key management module obtains the key value in the key record where the first secret key identifier is located, uses the obtained key value as a first secret key value, uses the first secret key value as an encryption algorithm in the key use request, encrypts the data of the application 1 carried in the key use request, and sends the encrypted data of the application 1 to the application 1. When the service requested by the key use request is to perform signature operation on the third signed information of the application 1 by using the key value according to a third signature algorithm to obtain third signed information, the key management module obtains the key value in the key record where the first secret key identifier is located, uses the obtained key value as the first secret key value, performs signature operation on the third signed information of the application 1 by using the first secret key value as the signature private key according to the third signature algorithm to obtain third signed information, and sends the obtained third signed information to the application 1.
If the verification result is that the verification is not passed, the key use request of the application 1 is not legal. Subsequently, the key management module generates a notification message indicating that the key usage request authentication fails. The key management module sends the notification message to the application 1.
In the embodiment of the application, the key management module verifies the signature information to be verified in the key use request by referring to the signed information, the cross-platform identifier of the application in the signed information is from the key record, the application to which the key indicated by the key identifier included in the key record belongs can be determined, and the single-platform information of the application comes from the target computer device, so that the security can be increased. The problem that in the prior art, after the secret key is transmitted among computer devices of different operating systems, the secret key management module cannot determine the application to which the secret key indicated by the secret key identifier included in the secret key record belongs according to the single platform information in the secret key record, so that the secret key use request of the application with a legal source cannot pass verification is solved. Illustratively, the cross-platform identifier of the application 1 in the source computer device is a cross-platform identifier 1, the cross-platform identifier of the application 1 in the target computer device is a cross-platform identifier 1, and the key 1 is a key of the application 1 with the cross-platform identifier 1. After the key 1 is transmitted to the target computer device, the application 1 requests the key 1 in the target computer device, and the target computer device can still recognize the cross-platform identifier 1 as the cross-platform identifier of the application 1, so that the application 1 requests the key use request of the key 1 in the target computer device, and can pass the authentication.
Example two
Fig. 5 is a schematic flowchart of another key access control method according to an embodiment of the present application. Illustratively, the present embodiment may be applied to the computer device shown in fig. 2. The method shown in fig. 5 may include the steps of:
s200: the application 1 generates a key use request. The key use request is for the application 1 to request a service from the key management module. Where application 1 is any one of the applications in the target computer device. The key use request includes: a first secret key identification.
Optionally, the key use request further includes: the signature information to be verified for the application 1.
For a detailed description of the application 1 requesting the key management module for service, reference is made to S100 in the first embodiment, which is not described again.
The identifier of the application 1 is an identifier that can be recognized by an operating system in which the application 1 is located, and is used for the key management module to obtain the single-platform information of the application 1 through a function provided by the operating system. The identifier of the application 1 is different from the single-platform identifier of the application 1 and the cross-platform identifier of the application 1. The key value corresponding to the first secret key identifier is the first secret key value.
The embodiment of the present application is not limited to the triggering condition for the application 1 to generate the key use request, and for example, the application 1 generates the key use request when data of the application 1 needs to be encrypted. The service requested by the key use request is to encrypt data of the application 1 using a first secret key value.
S201: the application 1 sends the key use request to the key management module.
And S202, the secret key management module acquires a cross-platform identifier in the secret key record where the first secret key identifier is located, and the cross-platform identifier is used as the first cross-platform identifier of the application 1.
S203, the key management module obtains the first single platform information of the application 1. Wherein the first single-platform information is the single-platform information of the application 1 in the operating system of the target computer device. The target computer device where the application 1 is located has preset single-platform information of a plurality of applications.
For example, in the android system, the key management module uses a Package Management Service (PMS) in the platform to obtain an identifier of the application 1, and uses the identifier of the application 1 to obtain single-platform information of the application corresponding to the identifier of the application 1, and uses the obtained single-platform information of the application as first single-platform information of the application 1.
S204: and the key management module acquires a second cross-platform identifier of the application 1 according to the first single-platform information of the application 1. The second cross-platform identity of application 1 is used by the key management module to determine the key record belonging to that application 1.
Specifically, the key management module obtains a cross-platform identifier corresponding to the first single-platform information from a stored corresponding relationship between a cross-platform identifier of each of the plurality of applications and the single-platform information, and uses the obtained cross-platform identifier as a second cross-platform identifier of the application 1.
It should be noted that, in the embodiment of the present application, the execution order of S202 and S203 to S204 is not limited, and for example, S202 is executed after S203 to S204 are executed.
S205: the key management module determines whether the first cross-platform identifier of the application 1 is the same as the second cross-platform identifier of the application 1.
If yes, it indicates that the key indicated by the key id included in the key record in which the first secret key id is located belongs to the application 1, then S206 is performed. If not, it indicates that the key indicated by the key id included in the key record in which the first secret key id is located does not belong to the application 1, then S207 is executed.
S206: the key management module provides the application 1 with the service requested by the key use request.
Subsequently, the key management module obtains a result of the service requested by the key use request, and sends the result to the application 1.
S207: the key management module generates a notification message. The notification message indicates that the key usage request authentication failed.
Subsequently, the key management module sends the notification message to the application 1.
It should be noted that, in this embodiment, S204 to S205 are optional steps, and when the key use request further includes signature information to be verified of the application 1, and the signature information to be verified of the application 1 is obtained by performing signature operation on the first cross-platform identifier of the application by using the second signature private key according to the second signature algorithm, after the key management module executes S200 to S203, the reference signed information of the application 1 may be obtained by combining the method in S104 in the first embodiment, and at this time, the reference signed information only includes the first cross-platform identifier. The key management module executes S105 to obtain a second verification signature public key of the application 1. The key management module executes S106 a verification algorithm to obtain the second signature algorithm of the application 1. Then, the key management module obtains the verification result of the signature information to be verified of the application 1 by adopting the verification algorithm of the second signature algorithm of the application 1 according to the second verification signature public key of the application 1 and the reference signed information of the application 1. The verification result comprises: verification passed or verification failed. If the verification result is that the verification is passed, the key use request of the application 1 is legal. Subsequently, the key management module provides the application 1 with the service requested by the key use request, and sends the result to the application 1. If the verification result is that the verification is not passed, the key use request of the application 1 is not legal. Subsequently, the key management module generates a notification message indicating that the key usage request authentication fails. The key management module sends the notification message to the application 1.
In this embodiment of the application, the key management module may determine, according to a cross-platform identifier of an application included in each stored key record, an application to which a key indicated by the key identifier included in the key record belongs, so as to overcome a problem that, in the prior art, after the key is transmitted between computer devices of different operating systems, the key management module cannot determine, according to single platform information in the key record, the application to which the key indicated by the key identifier included in the key record belongs, and cannot pass verification of a key use request of an application whose source is legitimate. Illustratively, the cross-platform identifier of the application 1 in the source computer device is a cross-platform identifier 1, the cross-platform identifier of the application 1 in the target computer device is a cross-platform identifier 1, and the key 1 is a key of the application 1 with the cross-platform identifier 1. After the key 1 is transmitted to the target computer device, the application 1 requests the key 1 in the target computer device, and the target computer device can still recognize the cross-platform identifier 1 as the cross-platform identifier of the application 1, so that the application 1 requests the key use request of the key 1 in the target computer device, and can pass the authentication.
EXAMPLE III
Fig. 6 is a schematic flowchart of a method for obtaining a key record according to an embodiment of the present application. Illustratively, the present embodiment may be applied to the computer apparatus shown in fig. 2. The method shown in fig. 6 may include the steps of:
s301: the application 1 generates a storage request of the key record 1. The application 1 is any one of applications in a computer device. The storage request of the key record 1 includes the first identification information and at least one of the cross-platform identification of the application 1 or the identification of the application 1.
Optionally, the storage request of the key record 1 further includes: at least one of a key length or a second verification signature public key of application 1. The first identification information is used to indicate an algorithm for generating a key value and a key identification of the key record 1. The key length is used to identify the security strength of the secret key value that generated the key record 1. The second verification signature public key of the application 1 is the second verification signature public key of the application corresponding to the second signature private key of the application 1, and the second verification signature public key of the application 1 is used for verifying the signature information to be verified of the application 1 by the key management module. Specifically, refer to S107 in the first embodiment, which is not described again.
Optionally, the storage request of the key record 1 further includes: second signed information of application 1 and single platform information of application 1.
Illustratively, the platform of the application 1 may be an android operating system, the application 1 may be a Weixin, and the cross-platform identifier of the application in the storage request of the key record 1 generated by the application 1 may be a weixin.
The embodiment of the present application does not limit the trigger condition for the application 1 to generate the storage request of the key record 1, and for example, the application 1 generates the storage request of the key record 1 when generating the data to be encrypted.
S302: the application 1 sends a storage request of the key record 1 to a key management module.
S303: the key management module generates a key identifier and a secret key value of the key record 1 according to the first identifier information.
Alternatively, when the storage request of the key record 1 further includes the key length, the key management module generates the key identifier and the secret key value of the key record 1 according to the first identifier information and the key length.
The embodiment of the present application does not limit the method for generating the key identifier and the secret key value of the key record 1, and exemplarily, a rule for generating key values of various lengths is defined in an algorithm indicated by the first identifier information defined in the key management module. The key management module entering the key length into the second algorithm may perform a method of generating a key value for the key length, generating a secret key value. The key management module may generate a unique serial number as a key identifier for the key value.
S304: and the key management module acquires the cross-platform identification of the application 1 according to the identification of the application 1.
Specifically, the key management module obtains the single-platform information of the application 1 according to the identifier of the application 1, and obtains the cross-platform identifier of the application 1 corresponding to the single-platform information of the application 1 according to the corresponding relationship between the single-platform information of the application 1 and the cross-platform identifier of the application 1.
In the embodiment of the present application, the obtaining manner of obtaining the cross-platform identifier of the application 1 corresponding to the single-platform information of the application 1 according to the corresponding relationship between the single-platform information of the application 1 and the cross-platform identifier of the application 1 is not limited.
In an implementation manner, a query server (e.g., a cloud server) of the key management module stores a corresponding relationship between the single-platform information of the application 1 and the cross-platform identifier of the application 1, and the key management module may send the single-platform information of the application 1 to the query server to query the cross-platform identifier of the application 1 corresponding to the single-platform information of the application 1.
In another implementation manner, a corresponding relationship between the single-platform information of the application 1 and the cross-platform identifier of the application 1 is preset in the storage module, and the corresponding relationship may be obtained by downloading through a query server, or may be preset in the storage module during production of the computer device. The key management module may send the single platform information of the application 1 to the storage module to query the cross-platform identifier of the application 1 corresponding to the single platform information of the application 1.
It should be noted that S304 is an optional step, and when the storage request of the key record 1 includes the cross-platform identifier of the application 1, S304 does not need to be executed. When the storage request of the key record 1 does not include the cross-platform identifier of the application 1, S304 needs to be executed, and the execution sequence of S303 and S304 is not limited in the embodiment of the present application, and for example, S303 is executed after S304 is executed.
S305: the key management module generates a key record 1 for the application 1. The key record 1 comprises a key identification of the key record 1, a secret key value and a cross-platform identification of the application 1.
Optionally, when the storage request of the key record 1 includes the second signed information of the application 1, the key record 1 may further include at least one of a second verification signature public key of the application 1, the second signed information of the application 1, or the single-platform information of the application 1.
It should be noted that the key identifier of the key record 1 and the step of generating the secret key value can be generated by the key management module as shown in the second embodiment. The key identification and key value of the key record 1 may also be generated by the application. When the application generates the key, the storage request of the key record 1 in S301 further includes: the key records 1 the key identification and the secret key value. Subsequently, the key management module generates the key record 1 according to the information in the storage request of the key record 1, and stores the key record 1.
The scheme provided by the embodiment of the application is mainly introduced from the perspective of a method. In order to implement the above functions, it includes a hardware structure and/or a software module for performing each function. Those of skill in the art will readily appreciate that the present application is capable of being implemented in hardware or a combination of hardware and computer software for performing the exemplary method steps described in connection with the embodiments disclosed herein. Whether a function is performed in hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the computer device may be divided into the functional modules according to the method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and another division manner may be available in actual implementation.
Fig. 7 is a schematic structural diagram of a key access control device according to an embodiment of the present application. The key access control device 70 may be configured to perform the functions performed by the computer apparatus in any of the above embodiments (such as the embodiments shown in fig. 4 or fig. 6). The key access control device 70 comprises a plurality of applications including a first application. The key access control device 70 further includes: a generating module 701 and a key management module 702. The generating module 701 is configured to generate a key usage request based on the first application. The key use request comprises a first secret key identification and signature information to be verified of the first application. The key management module 702 is configured to obtain the reference signed information of the first application according to the identifier of the first application and the first secret key identifier. The reference signed information of the first application is generated based on the single-platform information of the first application and the first cross-platform identifier, the single-platform information of the first application includes the single-platform identifier of the first application in the operating system of the secret key access control device 70, and the signature information to be verified of the first application is verified according to the first secret key identifier and the reference signed information of the first application, so that a verification result is obtained. The verification result is used for indicating whether the key use request is verified to pass. For example, with reference to fig. 4, the generating module 701 may be configured to execute S100, and the key management module 702 may be configured to execute S102 to S107. With reference to fig. 6, the generating module 701 may be configured to perform S301, and the key management module 702 may be configured to perform S303 to S305.
Optionally, the key management module 702 is specifically configured to: single platform information of a first application is obtained using an identification of the first application. And acquiring a first cross-platform identifier of the first application corresponding to the first secret key identifier from the corresponding relation between each secret key identifier in the multiple secret key identifiers and the cross-platform identifier of the application according to the first secret key identifier. And acquiring reference signed information of the first application based on the single-platform information and the first cross-platform identification of the first application.
Optionally, the key management module 702 is specifically configured to: and generating reference signed information of the first application by adopting a hash algorithm based on the single-platform information and the first cross-platform identification of the first application.
Optionally, the key management module 702 is specifically configured to: and according to the single-platform information and the first cross-platform identification of the first application, from the corresponding relation between each piece of reference signed information in the plurality of pieces of reference signed information and the first information of the application, using the reference signed information corresponding to the single-platform information and the first cross-platform identification of the first application as the reference signed information of the first application. The first information of the application comprises single-platform information of the application and cross-platform identification of the application.
Optionally, the single-platform information of the first application further includes: an application signature of the first application and a single-platform signature public key of the first application. The application signature of the first application is information obtained by performing signature operation on the installation package information of the first application.
Optionally, the key management module 702 is specifically configured to: and acquiring the verification signature public key of the first application from the corresponding relation among the plurality of secret key identifications, each secret key identification and the verification signature public key according to the first secret key identification. And verifying the signature information to be verified of the first application according to the verification signature public key of the first application and the reference signed information of the first application. The single platform signature public key of the first application is used to verify the application signature of the first application.
Optionally, the generating module 701 is further configured to: and generating a corresponding relation between the second secret key identifier and the first cross-platform identifier. The key access control apparatus 70 further includes a sending module 703, configured to send, to the second computer device, a correspondence between the second secret key identifier and the first cross-platform identifier. Wherein the second computer apparatus is a different device from the key access control device 70.
Optionally, the generating module 701 is further configured to: and generating the corresponding relation between the second secret key identification and the verification signature public key of the first application. The sending module 703 is further configured to: and sending the corresponding relation between the second secret key identification and the verification signature public key of the first application to the second computer equipment.
In an example, referring to fig. 3, the sending module 703 may be implemented by the communication interface 104 in fig. 3; both the generation module 701 and the key management module 702 may be implemented by the processor 101 in fig. 1 invoking a computer program stored in the memory 103.
Fig. 7 is a schematic structural diagram of a key access control device according to an embodiment of the present application. The key access control device 70 may be configured to perform the functions performed by the computer apparatus in any of the above embodiments (such as the embodiment shown in fig. 5). The key access control device 70 includes a plurality of applications including a first application. The key access control device 70 further includes: a generation module 701 and a key management module 702. The generating module 701 is configured to generate a key usage request based on the first application. The key use request includes a first secret key identification. The key management module 702 is configured to obtain, according to the first secret key identifier, a first cross-platform identifier of the first application corresponding to the first secret key identifier from a correspondence between each of the plurality of secret key identifiers and the cross-platform identifier of the application. And acquiring single platform information of the first application. The single platform information of the first application comprises a single platform identification of the first application in the operating system of the key access control device 70. And acquiring a second cross-platform identifier corresponding to the single-platform information of the first application from the corresponding relation between the single-platform information of each application in the plurality of applications and the cross-platform identifier according to the single-platform information of the first application. And if the first cross-platform identifier is different from the second cross-platform identifier, determining that the key using request is not verified. For example, in conjunction with fig. 5, the generating module 701 may be configured to perform S200, and the key management module 702 may be configured to perform S202 to S207.
Optionally, the generating module 701 is further configured to: and generating a corresponding relation between the second secret key identifier and the first cross-platform identifier. The key access control apparatus 70 further includes a sending module 703, configured to send, to the second computer device, a corresponding relationship between the second secret key identifier and the first cross-platform identifier. Wherein the second computer device is a different device than the key access control device 70.
In an example, referring to fig. 3, the sending module 703 may be implemented by the communication interface 104 in fig. 3; both the generation module 701 and the key management module 702 may be implemented by the processor 101 in fig. 1 invoking a computer program stored in the memory 103.
For the detailed description of the above alternative modes, reference is made to the foregoing method embodiments, which are not described herein again. In addition, for any explanation and beneficial effect description of the key access control device 70 provided above, reference may be made to the corresponding method embodiment described above, and details are not repeated.
It should be noted that the actions performed by the modules are only specific examples, and the actions actually performed by the modules refer to the actions or steps mentioned in the description of the embodiments based on fig. 4, fig. 5, or fig. 6.
An apparatus (e.g., a computer device or a chip) is further provided in an embodiment of the present application, including: a memory and a processor; the memory is for storing a computer program, and the processor is for invoking the computer program to perform the actions or steps mentioned in any of the embodiments provided above.
Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, and the computer program is configured to cause a computer to perform the actions or steps mentioned in any of the above-provided embodiments when the computer program runs on the computer.
The embodiment of the application also provides a chip. Integrated with the chip are circuitry and one or more interfaces for implementing the functionality of the computer device described above. Optionally, the functions supported by the chip may include processing actions in the embodiments described based on fig. 4 to fig. 6, which are not described herein again. Those skilled in the art will appreciate that all or part of the steps for implementing the above embodiments may be implemented by a program instructing the associated hardware to perform the steps. The program may be stored in a computer-readable storage medium. The above-mentioned storage medium may be a read-only memory, a random access memory, or the like. The processing unit or processor may be a central processing unit, a general purpose processor, an Application Specific Integrated Circuit (ASIC), a microprocessor (DSP), a Field Programmable Gate Array (FPGA) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof.
The embodiments of the present application also provide a computer program product containing instructions, which when executed on a computer, cause the computer to execute any one of the methods in the above embodiments. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the present application are all or partially generated upon loading and execution of computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). Computer-readable storage media can be any available media that can be accessed by a computer or data storage device including one or more available media integrated servers, data centers, and the like. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), among others.
It should be noted that the above devices for storing computer instructions or computer programs provided in the embodiments of the present application, such as, but not limited to, the above memories, computer readable storage media, communication chips, and the like, are all nonvolatile (non-volatile).
Other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
Although the present application has been described in conjunction with specific features and embodiments thereof, various modifications and combinations can be made thereto without departing from the spirit and scope of the application. Accordingly, the specification and figures are merely exemplary of the present application as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the present application.

Claims (20)

1. A key access control method applied to a target computer device, the target computer device comprising a plurality of applications, the plurality of applications comprising a first application; the method comprises the following steps:
generating a key use request based on the first application; the key use request comprises a first secret key identifier and signature information to be verified of the first application;
acquiring reference signed information of the first application according to the identifier of the first application and the first secret key identifier; the reference signed information of the first application is generated based on single platform information and a first cross-platform identification of the first application, wherein the single platform information of the first application comprises the single platform identification of the first application in an operating system of the target computer device;
verifying the signature information to be verified of the first application according to the first secret key identification and the reference signed information of the first application to obtain a verification result; the verification result is used for indicating whether the key use request is verified.
2. The method according to claim 1, wherein said obtaining the reference signed information of the first application based on the identity of the first application and the first secret key identity comprises:
acquiring single-platform information of the first application by using the identifier of the first application;
according to the first secret key identifier, acquiring a first cross-platform identifier of the first application corresponding to the first secret key identifier from a corresponding relation between each secret key identifier in a plurality of secret key identifiers and a cross-platform identifier of the application;
and acquiring reference signed information of the first application based on the single-platform information and the first cross-platform identification of the first application.
3. The method of claim 2, wherein obtaining the reference signed information of the first application based on the single platform information and the first cross-platform identifier of the first application comprises:
and generating reference signed information of the first application by adopting a hash algorithm based on the single-platform information of the first application and the first cross-platform identification.
4. The method according to claim 2, wherein the obtaining the reference signed information of the first application based on the single-platform information of the first application and the first cross-platform identifier comprises:
according to the single-platform information and the first cross-platform identification of the first application, from the corresponding relation between each piece of reference signed information in a plurality of pieces of reference signed information and the first information of the application, using the reference signed information corresponding to the single-platform information and the first cross-platform identification of the first application as the reference signed information of the first application; the first information of the application comprises single-platform information of the application and cross-platform identification of the application.
5. The method of any of claims 1-4, wherein the single platform information of the first application further comprises: an application signature of the first application and a single-platform signature public key of the first application; the application signature of the first application is information obtained by performing signature operation on the installation package information of the first application; the single-platform signature public key of the first application is used for verifying the application signature of the first application.
6. The method according to any one of claims 1 to 5, wherein the verifying the signed information to be verified of the first application according to the first secret key identifier and the signed information of the first application with reference comprises:
acquiring a verification signature public key of the first application from the corresponding relation between the plurality of secret key identifications and each secret key identification and the verification signature public key according to the first secret key identification;
and verifying the signature information to be verified of the first application according to the verification signature public key of the first application and the reference signed information of the first application.
7. The method of any one of claims 1-6, further comprising:
generating a corresponding relation between a second secret key identifier and the first cross-platform identifier;
and sending the corresponding relation between the second secret key identifier and the first cross-platform identifier to a second computer device, wherein the second computer device is a computer device different from the target computer device.
8. The method of claim 7, further comprising:
generating a corresponding relation between the second secret key identification and the verification signature public key of the first application;
and sending the corresponding relation between the second secret key identification and the verification signature public key of the first application to the second computer equipment.
9. A key access control method applied to a target computer device, the target computer device comprising a plurality of applications, the plurality of applications comprising a first application; the method comprises the following steps:
generating a key use request based on the first application; the key use request comprises a first secret key identifier;
according to the first secret key identifier, acquiring a first cross-platform identifier of the first application corresponding to the first secret key identifier from a corresponding relation between each secret key identifier in a plurality of secret key identifiers and a cross-platform identifier of the application;
acquiring single platform information of the first application; the single platform information of the first application comprises a single platform identification of the first application in an operating system of the target computer device;
according to the single-platform information of the first application, acquiring a second cross-platform identifier corresponding to the single-platform information of the first application from the corresponding relation between the single-platform information of each application in the plurality of applications and the cross-platform identifier;
if the first cross-platform identifier is the same as the second cross-platform identifier, determining that the key use request is verified; and if the first cross-platform identifier is different from the second cross-platform identifier, determining that the key use request verification is not passed.
10. A computer device, wherein the computer device comprises a plurality of applications, wherein the plurality of applications comprises a first application; the computer device further comprises:
a generation module that generates a key use request based on the first application; the secret key use request comprises a first secret key identifier and signature information to be verified of the first application;
the secret key management module is used for acquiring reference signed information of the first application according to the identifier of the first application and the first secret key identifier; the reference signed information of the first application is generated based on single platform information and a first cross-platform identification of the first application, wherein the single platform information of the first application comprises the single platform identification of the first application in an operating system of the computer device; verifying the signature information to be verified of the first application according to the first secret key identification and the reference signed information of the first application to obtain a verification result; the verification result is used for indicating whether the key use request is verified.
11. The computer device of claim 10, wherein the key management module is specifically configured to:
acquiring single-platform information of the first application by using the identifier of the first application;
according to the first secret key identifier, acquiring a first cross-platform identifier of the first application corresponding to the first secret key identifier from a corresponding relation between each secret key identifier in a plurality of secret key identifiers and a cross-platform identifier of the application;
and acquiring reference signed information of the first application based on the single-platform information and the first cross-platform identification of the first application.
12. The computer device of claim 11, wherein the key management module is specifically configured to:
and generating reference signed information of the first application by adopting a hash algorithm based on the single-platform information and the first cross-platform identification of the first application.
13. The computer device of claim 11, wherein the key management module is specifically configured to:
according to the single-platform information and the first cross-platform identification of the first application, from the corresponding relation between each piece of reference signed information in the plurality of pieces of reference signed information and the first information of the application, using the reference signed information corresponding to the single-platform information and the first cross-platform identification of the first application as the reference signed information of the first application; the first information of the application comprises single-platform information of the application and cross-platform identification of the application.
14. The computer device of any of claims 10-13, wherein the single platform information of the first application further comprises: an application signature of the first application and a single-platform signature public key of the first application; the application signature of the first application is information obtained by performing signature operation on the installation package information of the first application; the single-platform signature public key of the first application is used for verifying the application signature of the first application.
15. The computer device of any one of claims 10-14, wherein the key management module is specifically configured to:
acquiring a verification signature public key of the first application from the corresponding relation between a plurality of secret key identifications and each secret key identification and the verification signature public key according to the first secret key identification;
and verifying the signature information to be verified of the first application according to the verification signature public key of the first application and the reference signed information of the first application.
16. The computer device of any one of claims 10-15,
the generation module is further configured to: generating a corresponding relation between a second secret key identifier and the first cross-platform identifier;
the computer device further includes a sending module, configured to send a correspondence between the second secret key identifier and the first cross-platform identifier to a second computer device, where the second computer device is a computer device different from the computer device.
17. The computer device of claim 16,
the generation module is further configured to: generating a corresponding relation between the second secret key identification and the verification signature public key of the first application;
the sending module is further configured to: and sending the corresponding relation between the second secret key identification and the verification signature public key of the first application to the second computer equipment.
18. A computer device, wherein the computer device comprises a plurality of applications, wherein the plurality of applications comprises a first application; the computer device further comprises:
a generation module that generates a key use request based on the first application; the key use request comprises a first secret key identifier;
the key management module is used for acquiring a first cross-platform identifier of the first application corresponding to the first secret key identifier from a corresponding relation between each secret key identifier in the multiple secret key identifiers and a cross-platform identifier of the application according to the first secret key identifier; acquiring single platform information of the first application; the single platform information of the first application comprises a single platform identification of the first application in an operating system of the computer device; according to the single-platform information of the first application, acquiring a second cross-platform identifier corresponding to the single-platform information of the first application from the corresponding relation between the single-platform information of each application in the plurality of applications and the cross-platform identifier; if the first cross-platform identifier is the same as the second cross-platform identifier, determining that the key use request passes verification; and if the first cross-platform identifier is different from the second cross-platform identifier, determining that the key use request verification is not passed.
19. A computer-readable storage medium, having stored thereon a computer program which, when run on a computer, causes the computer to perform the method of any one of claims 1-9.
20. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1-9 are implemented when the program is executed by the processor.
CN202010092581.1A 2020-02-14 2020-02-14 Key access control method and device Active CN111414640B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010092581.1A CN111414640B (en) 2020-02-14 2020-02-14 Key access control method and device
PCT/CN2020/132720 WO2021159818A1 (en) 2020-02-14 2020-11-30 Secret key access control method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010092581.1A CN111414640B (en) 2020-02-14 2020-02-14 Key access control method and device

Publications (2)

Publication Number Publication Date
CN111414640A CN111414640A (en) 2020-07-14
CN111414640B true CN111414640B (en) 2022-07-22

Family

ID=71490937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010092581.1A Active CN111414640B (en) 2020-02-14 2020-02-14 Key access control method and device

Country Status (2)

Country Link
CN (1) CN111414640B (en)
WO (1) WO2021159818A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111414640B (en) * 2020-02-14 2022-07-22 华为技术有限公司 Key access control method and device
CN113051630B (en) * 2021-03-31 2024-07-23 联想(北京)有限公司 Control method and electronic equipment
CN114285581B (en) * 2021-12-07 2024-05-14 西安广和通无线通信有限公司 Application management method and related product

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105678192A (en) * 2015-12-29 2016-06-15 北京数码视讯科技股份有限公司 Smart card based secret key application method and application apparatus
CN107145769A (en) * 2017-03-31 2017-09-08 华为技术有限公司 A kind of digital rights management method about DRM, equipment and system
CN109525396A (en) * 2018-09-30 2019-03-26 华为技术有限公司 A kind of processing method, device and the server of identity code key

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8291224B2 (en) * 2005-03-30 2012-10-16 Wells Fargo Bank, N.A. Distributed cryptographic management for computer systems
CN103685267B (en) * 2013-12-10 2017-04-12 小米科技有限责任公司 Data access method and device
CN109982150B (en) * 2017-12-27 2020-06-23 国家新闻出版广电总局广播科学研究院 Trust chain establishing method of intelligent television terminal and intelligent television terminal
CN111414640B (en) * 2020-02-14 2022-07-22 华为技术有限公司 Key access control method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105678192A (en) * 2015-12-29 2016-06-15 北京数码视讯科技股份有限公司 Smart card based secret key application method and application apparatus
CN107145769A (en) * 2017-03-31 2017-09-08 华为技术有限公司 A kind of digital rights management method about DRM, equipment and system
CN109525396A (en) * 2018-09-30 2019-03-26 华为技术有限公司 A kind of processing method, device and the server of identity code key

Also Published As

Publication number Publication date
CN111414640A (en) 2020-07-14
WO2021159818A1 (en) 2021-08-19

Similar Documents

Publication Publication Date Title
EP3937424B1 (en) Blockchain data processing methods and apparatuses based on cloud computing
CN112422532B (en) Service communication method, system and device and electronic equipment
CN108696349B (en) Using trusted execution environments as trusted third parties to prove privacy
US10484185B2 (en) Method and system for distributing attestation key and certificate in trusted computing
CN109074466B (en) Platform attestation and registration for servers
US9514317B2 (en) Policy-based trusted inspection of rights managed content
EP3061027B1 (en) Verifying the security of a remote server
US20170099148A1 (en) Securely authorizing client applications on devices to hosted services
CN111737366B (en) Private data processing method, device, equipment and storage medium of block chain
CN111414640B (en) Key access control method and device
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
JP2024505692A (en) Data processing methods, devices and computer equipment based on blockchain networks
WO2018112482A1 (en) Method and system for distributing attestation key and certificate in trusted computing
CN112632573B (en) Intelligent contract execution method, device, system, storage medium and electronic equipment
CN114372245A (en) Block chain-based Internet of things terminal authentication method, system, device and medium
CN114448648B (en) Sensitive credential management method and system based on RPA
CN113824566B (en) Certificate authentication method, code number downloading method, device, server and storage medium
CN116561820B (en) Trusted data processing method and related device
CN114172923B (en) Data transmission method, communication system and communication device
KR20150089696A (en) Integrity Verification System and the method based on Access Control and Priority Level
US11977620B2 (en) Attestation of application identity for inter-app communications
CN118432826B (en) Group device registration and identity authentication method, system, device and storage medium
CN116226932A (en) Service data verification method and device, computer medium and electronic equipment
CN118157876A (en) Authentication method and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant