CN111526025B - Method and system for realizing terminal unbinding and rebinding - Google Patents

Method and system for realizing terminal unbinding and rebinding Download PDF

Info

Publication number
CN111526025B
CN111526025B CN202010638428.4A CN202010638428A CN111526025B CN 111526025 B CN111526025 B CN 111526025B CN 202010638428 A CN202010638428 A CN 202010638428A CN 111526025 B CN111526025 B CN 111526025B
Authority
CN
China
Prior art keywords
privilege level
terminal
certificate
server
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010638428.4A
Other languages
Chinese (zh)
Other versions
CN111526025A (en
Inventor
陆舟
于华章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Feitian Technologies Co Ltd
Original Assignee
Feitian Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Feitian Technologies Co Ltd filed Critical Feitian Technologies Co Ltd
Priority to CN202010638428.4A priority Critical patent/CN111526025B/en
Publication of CN111526025A publication Critical patent/CN111526025A/en
Application granted granted Critical
Publication of CN111526025B publication Critical patent/CN111526025B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method and a system for realizing terminal unbinding and rebinding, and belongs to the field of information security. The privilege level server receives a key management instruction sent by the terminal and judges the type of the key management instruction, if the key management instruction is a privilege level re-binding instruction, a privilege level re-binding data packet is generated according to the terminal certificate identifier, the server certificate identifier and the privilege level server certificate and is sent to the terminal for verification, if the verification is successful, the terminal clears all stored keys, and replaces a common server certificate with the privilege level server certificate in the privilege level re-binding data packet; if the type of the key management instruction is a privilege level unbinding instruction, the privilege level server forms a privilege level unbinding data packet according to the terminal certificate identification and the server certificate identification and sends the privilege level unbinding data packet to the terminal for verification, and if the verification is successful, the terminal clears all stored keys and common server certificates. The invention is suitable for the condition that the terminal loses executing the 'unbinding' or 'rebinding', and has the advantages of safety, reliability and low cost.

Description

Method and system for realizing terminal unbinding and rebinding
Technical Field
The invention relates to the field of information security, in particular to a method and a system for realizing terminal unbinding and rebinding.
Background
After the terminal is bound to the server, the terminal may lose the ability to perform "unbinding" or "rebinding" for various reasons. For example, when a private key of a server is revealed, a new server needs to be re-bound through a method, and in the prior art, if a terminal loses the capability of executing "unbinding" or "re-binding", only the terminal can be returned to a factory for processing, so that the operation is complicated, the cost is high, and the use is inconvenient.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method and a system for realizing terminal unbinding and rebinding.
The invention provides a method for realizing terminal unbinding and rebinding, which is characterized in that a privilege level data packet authentication certificate, a common server certificate and a privilege level server authentication public key are pre-stored in a terminal, and a privilege level server certificate and a plurality of common server certificates are pre-stored in a privilege level server, and the method comprises the following steps:
step S1: when the terminal receives the trigger information of the user, a key management instruction is sent to the privilege level server;
step S2: the privileged server receives the key management instruction and determines the type of the key management instruction, if the key management instruction is a privileged rebinding instruction, the step S3 is executed, and if the key management instruction is a privileged unbinding instruction, the step S6 is executed;
step S3: the privilege level server acquires a corresponding terminal certificate identifier and a common server identifier according to the privilege level re-binding instruction, generates a privilege level re-binding data packet according to the terminal certificate identifier, a server certificate identifier in a common server certificate corresponding to the common server identifier and a stored privilege level server certificate, and sends the privilege level re-binding data packet to the terminal;
step S4: the terminal verifies the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate and the privilege level server authentication public key, if the verification is successful, the step S5 is executed, and if the verification is failed, an error is reported;
step S5: the terminal clears all the stored keys and replaces the stored common server certificate with the privilege level server certificate in the privilege level rebinding data packet;
step S6: the special right level server acquires a corresponding terminal certificate identifier and a common server identifier according to the special right level unbinding instruction, and forms a special right level unbinding data packet according to the terminal certificate identifier and a server certificate identifier in a common server certificate corresponding to the common server identifier and sends the special right level unbinding data packet to the terminal;
step S7: the terminal verifies the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the step S8 is executed, and if the verification is failed, an error is reported;
step S8: the terminal clears all the stored keys and common server certificates;
the step S4 of verifying the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate and the privilege level server authentication public key specifically includes:
step a 1: the terminal verifies the first signature value in the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the first signature value is continued, and if the verification is failed, an error is reported;
step b 1: the terminal judges whether the terminal certificate identification in the privilege level rebinding data packet is matched with the stored terminal certificate identification, if so, the terminal continues, otherwise, the verification fails, and an error is reported;
step c 1: the terminal judges whether the server certificate identifier in the privilege level rebinding data packet is matched with the server certificate identifier in the stored common server certificate, if so, the terminal continues, otherwise, the terminal fails to verify and reports an error;
step d 1: the terminal uses the stored privilege level server authentication public key to verify the privilege level and rebind the privilege level server certificate in the data packet, if the verification is successful, the terminal continues, and if the verification fails, an error is reported;
step e 1: the terminal judges whether the privilege level server certificate in the privilege level rebinding data packet is valid, if yes, the terminal continues, and if not, the terminal fails to verify and reports an error;
said step a1 and said step d1 verify successfully and said step b1, said step c1 and said step e1 determine that all are yes, said terminal verifies successfully using the saved privilege level packet authentication certificate and the privilege level server authentication public key to said privilege level rebinding packet;
the step S7, where the terminal verifies the privilege level unbind packet using the stored privilege level packet authentication certificate, specifically includes:
step m 1: the terminal verifies the second signature value in the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the second signature value is continued, and if the verification is failed, an error is reported;
step n 1: the terminal judges whether the terminal certificate identification in the privilege level unbinding data packet is matched with the stored terminal certificate identification, if so, the terminal continues, otherwise, the verification fails, and an error is reported;
step k 1: the terminal judges whether the server certificate identification in the privilege level unbinding data packet is matched with the server certificate identification in the stored common server certificate, if so, the terminal continues, otherwise, the terminal fails to verify and reports an error;
when the verification of the step m1 is successful and the steps n1 and k1 are both judged to be yes, the terminal uses the saved privileged level data packet authentication certificate to successfully verify the second signature value in the privileged level unbinding data packet.
Further, the step S2 includes: and the privilege level server judges preset byte data in the key management instruction, if the preset byte data is a first value, the preset byte data is a privilege level unbinding instruction, and if the preset byte data is a second value, the preset byte data is a privilege level rebinding instruction.
Further, the step S3 includes: the privilege level server acquires a terminal identifier and a common server identifier from the privilege level rebinding instruction, acquires a stored corresponding terminal certificate identifier according to the terminal identifier, acquires a server certificate identifier from a common server certificate corresponding to the common server identifier, sequentially splices the terminal certificate identifier, the server certificate identifier and the privilege level server certificate to generate data to be signed, performs hash operation on the data to be signed to obtain a first hash operation result, encrypts the first hash operation result by using a private key in a privilege level data packet authentication certificate to obtain a first signature value, and sequentially splices the terminal certificate identifier, the server certificate identifier, the privilege level server certificate and the first signature value to generate a privilege level rebinding data packet.
Further, the verifying, by the terminal in the step a1, the first signature value in the privilege-level rebinding packet using the saved privilege-level packet authentication certificate includes: and the terminal sequentially splices the terminal certificate identification, the server certificate identification and the privileged server certificate in the privileged rebinding data packet to generate a first splicing result, performs hash operation on the first splicing result to obtain a first hash result, decrypts the first signature value in the privileged rebinding data packet by using a public key in the stored privileged data packet authentication certificate to obtain a first decryption result, judges whether the first hash result is consistent with the first decryption result, if so, the verification is successful, and otherwise, the verification fails.
Further, the step d1 of the terminal verifying the privilege level server certificate in the privilege level rebinding packet using the saved privilege level server authentication public key includes: and the terminal decrypts the signature value in the privilege level server certificate in the privilege level rebinding data packet by using the stored privilege level server authentication public key to obtain a second decryption result, performs hash operation on the data to be signed in the privilege level server certificate in the privilege level rebinding data packet to obtain a second hash result, and judges whether the second decryption result is consistent with the second hash result, if so, the verification is successful, and if not, the verification is failed.
Further, the determining, by the terminal, in the step e1, whether the privilege level server certificate in the privilege level rebinding packet is valid includes: and the terminal judges whether the valid date in the privileged server certificate in the privileged rebinding data packet is less than the current date, if so, the privileged server certificate is valid, and otherwise, the privileged server certificate is invalid.
Further, the step S6 includes: the privilege level server obtains a terminal identification and a common server identification from a privilege level rebinding instruction, obtains a stored corresponding terminal certificate identification according to the terminal identification, obtains a server certificate identification from a common server certificate corresponding to the common server identification, sequentially splices the terminal certificate identification and the server certificate identification to obtain a first spliced value, performs Hash operation on the first spliced value to obtain a second Hash operation result, encrypts the second Hash operation result by using a private key in a privilege level data packet authentication certificate to obtain a second signature value, and sequentially splices the terminal certificate identification, the server certificate identification and the second signature value to obtain a privilege level unbinding data packet.
Further, the verifying, by the terminal in the step m1, the second signature value in the privilege-level unbind packet using the saved privilege-level packet authentication certificate includes: and the terminal sequentially splices the terminal certificate identification and the server certificate identification in the privilege level unbinding data packet to generate a second splicing result, performs Hash operation on the second splicing result to obtain a third Hash result, decrypts a second signature value in the privilege level unbinding data packet by using a public key in a stored privilege level data packet authentication certificate to obtain a third decryption result, judges whether the third Hash result is consistent with the third decryption result, if so, successfully verifies, continues, otherwise, fails to verify, and reports errors.
Further, between the step S2 and the step S3, the method further includes:
step A1: the privilege level server returns a receiving success response to the terminal;
step A2: the terminal generates a random number and sends the random number to the privilege level server;
step A3: the privilege level server receives the random number and discards the random number;
between the step S2 and the step S6, the method further comprises:
step B1: the privilege level server returns a receiving success response to the terminal;
step B2: the terminal generates a random number and sends the random number to the privilege level server;
step B3: the privilege level server receives the random number and discards it.
The invention also provides a system for realizing the unbinding and rebinding of the terminal, which comprises the terminal and the privilege level server, wherein the terminal is pre-stored with a privilege level data packet authentication certificate, a common server certificate and a privilege level server authentication public key, and the privilege level server is pre-stored with a privilege level server certificate and a plurality of common server certificates;
the terminal includes: the system comprises a first sending module, a first receiving module, a first verification module, a clearing replacement module, a second verification module and a clearing module;
the privileged server includes: the device comprises a second receiving module, a first judging module, a first generating module, a second sending module and an obtaining and composing module;
the first sending module is used for sending a key management instruction to the privilege level server when the terminal receives the trigger information of the user;
the second receiving module is configured to receive the key management instruction sent by the terminal;
the first determining module is configured to determine a type of the key management instruction received by the second receiving module, trigger the first generating module if the key management instruction is a privilege level re-binding instruction, and trigger the obtaining component module if the key management instruction is a privilege level unbinding instruction;
the first generation module is used for acquiring a corresponding terminal certificate identifier and a common server identifier according to the privilege level rebinding instruction, and generating a privilege level rebinding data packet according to the terminal certificate identifier, a server certificate identifier in a common server certificate corresponding to the common server identifier and a stored privilege level server certificate;
the second sending module is configured to send the privilege level rebinding data packet generated by the first generating module to the terminal;
the first receiving module is configured to receive a privilege level rebinding data packet sent by the privilege level server;
the first verification module is used for verifying the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate and the privilege level server authentication public key, triggering the clearing replacement module if the verification is successful, and reporting an error if the verification is failed;
the clearing and replacing module is used for clearing all the stored keys and replacing the stored common server certificate with the privilege level server certificate in the privilege level rebinding data packet;
the acquisition and composition module is used for acquiring a corresponding terminal certificate identifier and a common server identifier according to the privilege level unbinding instruction, and forming a privilege level unbinding data packet according to the terminal certificate identifier and a server certificate identifier in a common server certificate corresponding to the common server identifier;
the second sending module is further configured to send the privilege level unbinding data packet composed of the obtaining component module to the terminal;
the first receiving module is further used for receiving the privilege level unbinding data packet sent by the privilege level server;
the second verification module is configured to verify the privilege level unbinding data packet received by the first receiving module by using the stored privilege level data packet authentication certificate, trigger the clearing module if the verification is successful, and report an error if the verification is failed;
the clearing module is used for clearing all the stored keys and common server certificates;
the first authentication module includes:
the first verification unit is used for verifying the first signature value in the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the first verification unit continues, and if the verification is failed, an error is reported;
the first judging unit is used for judging whether the terminal certificate identifier in the privilege level rebinding data packet is matched with the stored terminal certificate identifier, if so, continuing, otherwise, failing to verify, and reporting an error;
a second judging unit, configured to judge whether a server certificate identifier in the privilege-level rebinding data packet matches a server certificate identifier in a stored general server certificate, if so, continue, otherwise, fail to verify, and report an error;
the second verification unit is used for verifying the privilege level and rebinding the privilege level server certificate in the data packet by using the saved privilege level server authentication public key, if the verification is successful, the operation continues, and if the verification is failed, an error is reported;
a third judging unit, configured to judge whether a privilege level server certificate in the privilege level rebinding data packet is valid, if so, continue, otherwise, fail to verify, and report an error;
when the first judging unit, the second judging unit and the third judging unit all judge yes and the first verifying unit and the second verifying unit all verify, the clearing replacement module is triggered, otherwise, an error is reported;
the second authentication module includes:
the third verification unit is used for verifying the second signature value in the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, continuing if the verification is successful, and reporting an error if the verification is failed;
a fourth judging unit, configured to judge whether the terminal certificate identifier in the privilege level unbinding packet matches the stored terminal certificate identifier, if yes, continue the process, otherwise, fail to verify, and report an error;
a fifth judging unit, configured to judge whether the server certificate identifier in the privilege level unbinding packet matches a server certificate identifier in a stored general server certificate, if so, continuing, otherwise, failing to verify, and reporting an error;
and when the fourth judging unit and the fifth judging unit both judge that the third verifying unit passes the verification, the clearing module is triggered, otherwise, an error is reported.
Further, the first determining module is specifically configured to determine preset byte data in the key management instruction, and if the preset byte data is a first value, the preset byte data is a privilege level unbinding instruction, and trigger the first generating module, and if the preset byte data is a second value, the preset byte data is a privilege level rebinding instruction, and the obtaining component module is triggered.
Further, the first generating module is specifically configured to obtain a terminal identifier and a generic server identifier from the privilege level rebinding instruction, acquiring a stored corresponding terminal certificate identifier according to the terminal identifier, acquiring a server certificate identifier from a common server certificate corresponding to a common server identifier, sequentially splicing the terminal certificate identifier, the server certificate identifier and the privileged server certificate to generate data to be signed, and carrying out Hash operation on the data to be signed to obtain a first Hash operation result, encrypting the first Hash operation result by using a private key in a privileged level data packet authentication certificate to obtain a first signature value, and sequentially splicing the terminal certificate identification, the server certificate identification, the privileged level server certificate and the first signature value to generate a privileged level rebinding data packet.
Further, the first verification unit is specifically configured to splice the terminal certificate identifier, the server certificate identifier, and the privileged server certificate in the privileged rebinding data packet in sequence to generate a first splicing result, perform hash operation on the first splicing result to obtain a first hash result, decrypt the first signature value in the privileged rebinding data packet by using a public key in the stored privileged data packet authentication certificate to obtain a first decryption result, determine whether the first hash result is consistent with the first decryption result, if yes, verify successfully, continue, otherwise, verify unsuccessfully, and report an error.
Further, the second verification unit is specifically configured to decrypt, using the saved privilege level server authentication public key, the signature value in the privilege level server certificate in the privilege level rebinding data packet to obtain a second decryption result, perform hash operation on the data to be signed in the privilege level server certificate in the privilege level rebinding data packet to obtain a second hash result, determine whether the second decryption result is consistent with the second hash result, if yes, verify successfully, continue, otherwise, fail to verify, and report an error.
Further, the third determining unit is specifically configured to determine whether a valid date in the privileged server certificate in the privileged rebinding data packet is less than a current date, if so, the privileged server certificate is valid, and continues, otherwise, the privileged server certificate is invalid, and an error is reported.
Further, the obtaining component module is specifically configured to obtain a terminal identifier and a general server identifier from a privilege level rebinding instruction, obtain a stored corresponding terminal certificate identifier according to the terminal identifier, obtain a server certificate identifier from a general server certificate corresponding to the general server identifier, sequentially splice the terminal certificate identifier and the server certificate identifier to obtain a first splice value, perform hash operation on the first splice value to obtain a second hash operation result, encrypt the second hash operation result by using a private key in a special right level data packet authentication certificate to obtain a second signature value, and sequentially splice the terminal certificate identifier, the server certificate identifier, and the second signature value to obtain a special right level unbinding data packet.
Further, the third verification unit is specifically configured to sequentially splice the terminal certificate identifier and the server certificate identifier in the privilege level unbind data packet to generate a second splicing result, perform hash operation on the second splicing result to obtain a third hash result, decrypt the second signature value in the privilege level unbind data packet by using the public key in the stored privilege level data packet authentication certificate to obtain a third decryption result, determine whether the third hash result is consistent with the third decryption result, if yes, the verification is successful, continue, and if not, the verification fails, and an error is reported.
Further, the terminal further includes: a second generation module;
the second sending module is further configured to return a receiving success response to the terminal when the first determining module determines that the privilege level re-binding instruction or the privilege level unbinding instruction is received;
the first receiving module is further used for receiving a receiving success response sent by the privilege level server;
the second generating module is configured to generate a random number when the first receiving module receives a successful receiving response;
the first sending module is further configured to send the random number generated by the second generating module to the privilege-level server;
the second receiving module is further configured to receive the random number sent by the terminal and discard the random number, and trigger the first generating module or the obtaining component module.
Compared with the prior art, the invention has the following advantages:
the technical scheme of the invention is that the process of rebinding the special-right server and/or the common server is carried out under the condition that the terminal loses the capability of executing 'unbinding' or 'rebinding', and the invention has the advantages of safety, reliability and low cost.
Drawings
Fig. 1 is a flowchart of a method for implementing terminal unbinding and re-binding according to an embodiment of the present invention;
fig. 2 and fig. 3 are flowcharts of a method for implementing terminal unbinding and re-binding according to a second embodiment of the present invention;
fig. 4 is a block diagram of a system for implementing terminal unbinding and re-binding according to a third embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the embodiment of the present invention, the terminal stores in advance a privileged level data packet authentication certificate, a general server certificate, and a privileged level server authentication public key, and the privileged level server stores in advance a privileged level server certificate and a plurality of general server certificates.
Example one
In an embodiment of the present invention, a method for implementing terminal unbinding and rebinding is provided, where a privileged level data packet authentication certificate, a general server certificate, and a privileged level server authentication public key are pre-stored in a terminal, and a privileged level server certificate and a plurality of general server certificates are pre-stored in a privileged level server, as shown in fig. 1, this embodiment includes:
step S1: when the terminal receives the trigger information of the user, a key management instruction is sent to the privileged server;
specifically, the user trigger information in this embodiment may be trigger information generated by a user triggering the unbind button or trigger information generated by a user triggering the rebinding button; the key management instruction comprises a terminal identifier and a bound common server identifier; the terminal identification is used for acquiring a corresponding terminal certificate identification, and the common server identification user acquires a corresponding common server certificate;
step S2: the privileged server receives and analyzes the key management instruction, judges the type of the key management instruction, if the key management instruction is a privileged rebinding instruction, executes step S3, and if the key management instruction is a privileged unbinding instruction, executes step S6;
specifically, in this embodiment, step S2 includes: the privilege level server judges preset byte data in the key management instruction, if the preset byte data is a first value, the preset byte data is a privilege level unbinding instruction, and if the preset byte data is a second value, the preset byte data is a privilege level rebinding instruction.
Step S3: the privilege level server acquires a corresponding terminal certificate identifier and a common server identifier according to the privilege level rebinding instruction, generates a privilege level rebinding data packet according to the terminal certificate identifier, a server certificate identifier in a common server certificate corresponding to the common server identifier and a stored privilege level server certificate, and sends the privilege level rebinding data packet to the terminal;
specifically, in this embodiment, step S3 includes: the privilege level server acquires a terminal identifier and a common server identifier from a privilege level rebinding instruction, acquires a stored corresponding terminal certificate identifier according to the terminal identifier, acquires a server certificate identifier from a common server certificate corresponding to the common server identifier, sequentially splices the terminal certificate identifier, the server certificate identifier and the privilege level server certificate to generate data to be signed, performs hash operation on the data to be signed to obtain a first hash operation result, encrypts the first hash operation result by using a private key in a privilege level data packet authentication certificate to obtain a first signature value, and sequentially splices the terminal certificate identifier, the server certificate identifier, the privilege level server certificate and the first signature value to generate a privilege level rebinding data packet;
step S4: the terminal verifies the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate and the privilege level server authentication public key, if the verification is successful, the step S5 is executed, and if the verification is failed, an error is reported;
specifically, in this embodiment, step S4 includes:
step S41: the terminal verifies the first signature value in the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the step S42 is executed, and if the verification is failed, an error is reported;
specifically, in this embodiment, step S41 includes: the terminal sequentially splices the terminal certificate identification, the server certificate identification and the privileged server certificate in the privileged rebinding data packet to generate a first splicing result, performs hash operation on the first splicing result to obtain a first hash result, decrypts a first signature value in the privileged rebinding data packet by using a public key in a stored privileged data packet authentication certificate to obtain a first decryption result, judges whether the first hash result is consistent with the first decryption result, if so, successfully verifies, and executes the step S42, otherwise, fails to verify and reports an error;
step S42: the terminal judges whether the terminal certificate identifier in the privilege level rebinding data packet is matched with the stored terminal certificate identifier, if so, the step S43 is executed, otherwise, an error is reported;
step S43: the terminal judges whether the server certificate identifier in the privilege level rebinding data packet is matched with the server certificate identifier in the stored common server certificate, if so, the step S44 is executed, otherwise, an error is reported;
step S44: the terminal uses the stored privilege level server authentication public key to verify the privilege level and rebind the privilege level server certificate in the data packet, if the verification is successful, the step S45 is executed, and if the verification is failed, an error is reported;
specifically, in this embodiment, step S44 includes: the terminal decrypts the signature value in the privilege level server certificate in the privilege level rebinding data packet by using the stored privilege level server authentication public key to obtain a second decryption result, performs hash operation on the data to be signed in the privilege level server certificate in the privilege level rebinding data packet to obtain a second hash result, judges whether the second decryption result is consistent with the second hash result, if so, the verification is successful, and executes the step S45, otherwise, the verification is failed, and reports an error;
step S45: the terminal judges whether the privilege level server certificate in the privilege level rebinding data packet is valid, if so, the step S5 is executed, otherwise, an error is reported;
specifically, in this embodiment, step S45 includes: the terminal judges whether the effective date in the privileged server certificate in the privileged rebinding data packet is less than the current date, if so, the privileged server certificate is valid, and step S5 is executed, otherwise, the privileged server certificate is invalid and an error is reported;
in this embodiment, the sequence of step S41, step S42, step S43, step S44, and step S45 can be changed arbitrarily;
step S5: the terminal clears all the stored keys, and replaces the stored common server certificate with the privilege level server certificate in the privilege level rebinding data packet;
step S6: the special right level server acquires a corresponding terminal certificate identifier and a common server identifier according to the special right level unbinding instruction, and forms a special right level unbinding data packet according to the terminal certificate identifier and a server certificate identifier in a common server certificate corresponding to the common server identifier and sends the special right level unbinding data packet to the terminal;
specifically, in this embodiment, step S6 includes: the privilege level server acquires a terminal identifier and a common server identifier from the privilege level rebinding instruction, acquires a stored corresponding terminal certificate identifier according to the terminal identifier, acquires a server certificate identifier from a common server certificate corresponding to the common server identifier, sequentially splices the terminal certificate identifier and the server certificate identifier to obtain a first spliced value, performs hash operation on the first spliced value to obtain a second hash operation result, encrypts the second hash operation result by using a private key in the privilege level data packet authentication certificate to obtain a second signature value, and sequentially splices the terminal certificate identifier, the server certificate identifier and the second signature value to obtain a privilege level unbinding data packet;
step S7: the terminal verifies the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the step S8 is executed, and if the verification is failed, an error is reported;
specifically, in this embodiment, step S7 includes:
step S71: the terminal verifies the second signature value in the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the step S72 is executed, and if the verification is failed, an error is reported;
specifically, in this embodiment, step S71 includes: the terminal sequentially splices the terminal certificate identification and the server certificate identification in the privilege level unbinding data packet to generate a second splicing result, carries out Hash operation on the second splicing result to obtain a third Hash result, decrypts a second signature value in the privilege level unbinding data packet by using a public key in a stored privilege level data packet authentication certificate to obtain a third decryption result, judges whether the third Hash result is consistent with the third decryption result, if so, executes the step S72, otherwise, fails in verification and reports an error;
step S72: the terminal judges whether the terminal certificate identification in the privilege level unbinding data packet is matched with the stored terminal certificate identification, if so, the step S73 is executed, otherwise, the verification fails, and an error is reported;
step S73: the terminal judges whether the server certificate identification in the special right unbinding data packet is matched with the server certificate identification in the stored common server certificate, if so, the step S8 is executed, otherwise, the verification fails and an error is reported;
in this embodiment, the sequence of step S71, step S72, and step S73 can be changed arbitrarily;
step S8: the terminal clears all keys and common server certificates stored.
Optionally, in this embodiment, between step S2 and step S3, the method further includes:
step A1: the privileged server returns a receiving success response to the terminal;
step A2: the terminal generates a random number and sends the random number to the privilege level server;
step A3: the privilege level server receives the random number and discards the random number;
between the step S2 and the step S6, the method further includes:
step B1: the privileged server returns a receiving success response to the terminal;
step B2: the terminal generates a random number and sends the random number to the privilege level server;
step B3: the privileged server receives the random number and discards it.
Example two
The second embodiment of the invention provides a method for realizing terminal unbinding and rebinding, which is characterized in that a privilege level data packet authentication certificate, a common server certificate and a privilege level server authentication public key are pre-stored in a terminal, and a privilege level server certificate and a plurality of common server certificates are pre-stored in a privilege level server. As shown in fig. 2 and fig. 3, the method of the present embodiment includes:
step 101: when the terminal receives the trigger information of the user, a key management instruction is sent to the privileged server;
for example, the key management instruction in the present embodiment is a 60012303030303633303430303030303030303030303003032; or the key management instruction in the present embodiment is a 70012303030303633303430303030303030303003003032;
specifically, the user trigger information in this embodiment may be trigger information generated by a user triggering the unbind button or trigger information generated by a user triggering the rebinding button; the key management instruction comprises a terminal identifier and a common server identifier; the terminal identification is used for acquiring a corresponding terminal certificate identification, and the common server identification user acquires a corresponding common server certificate;
for example, the terminal in this embodiment is identified as 303030303633303430303030303030303032;
step 102: the privileged server receives the key management instruction and determines the type of the key management instruction, if the key management instruction is a privileged unbind instruction, step 114 is executed, and if the key management instruction is a privileged rebinding instruction, step 103 is executed;
specifically, in this embodiment, the privilege level server determines preset byte data in the key management instruction, and if the preset byte data is a first value, the preset byte data is a privilege level unbinding instruction, and if the preset byte data is a second value, the preset byte data is a privilege level rebinding instruction; for example, the first value is a6, the second value is a 7;
step 103: the privileged server returns a receiving success response to the terminal;
optionally, in this embodiment, if the privileged server fails to receive, a reception failure response is returned to the terminal, for example, the reception failure response is a 70001, and the reception success response is a 70000;
step 104: the terminal generates a random number and sends the random number to the privilege level server;
for example, the random number generated in the present embodiment is 0F8ADFFB11DC27840F8ADFFB11DC 2784;
step 105: the privilege level server receives the random number and discards the random number;
step 106: the privilege level server acquires a corresponding terminal certificate identifier and a common server identifier according to the privilege level rebinding instruction, and generates a privilege level rebinding data packet according to the terminal certificate identifier, a server certificate identifier in a common server certificate corresponding to the common server identifier and a stored privilege level server certificate;
for example, the privilege level rebinding instruction in this embodiment is a 70012303030303633303430303030303030303030303003003003032;
specifically, in this embodiment, step 106 includes: the server acquires a terminal identifier and a common server identifier from the privilege level rebinding instruction, acquires a stored corresponding terminal certificate identifier according to the terminal identifier, acquires a server certificate identifier from a common server certificate corresponding to the common server identifier, sequentially splices the terminal certificate identifier, the server certificate identifier and the privilege level server certificate to generate data to be signed, performs hash operation on the data to be signed to obtain a first hash operation result, encrypts the first hash operation result by using a private key in the privilege level data packet authentication certificate to obtain a first signature value, and sequentially splices the terminal certificate identifier, the server certificate identifier, the privilege level server certificate and the first signature value to generate a privilege level rebinding data packet;
for example, the terminal identifier in this embodiment is 3a3e11fd8d6a7a89353882053f87ef124526dbb6, the terminal certificate identifier is 3a3e11fd8d6a7a89353882053f87ef124526dbb6, and the server certificate identifier is 1968374f0b5c576d19f9d164f39988be01e86 eee;
the privileged level server certifies the public key as: abfeb8d0966f922d1e577784cfc74aeab02395bbe bd2e1a9007d7b1de4581be60c1788353c9fa7bda f15603858b9a0482eab3e285552ec278d3098db129c17e9bf0a08f1b afd f25 888f1295f0783ae2a743591175d51235e02d6702004002487a437fd1dad0d9291249058de01f369 4b2 dccdc 619ba52a27aabd30f50deea8722afb fd3c 48 f01e332af 181b478386af0898b 9937 a15572307 d6702004002487 f 1d 3a885a272d 2 aa 5964 b2dcd 638 b 6335 c 6235 b 6232 b 6278 b 35 c 6278 b 35 b 6232 d 6432 b 6232 b 3278 c 2d 638 b 6235 c 2d 638 b 628 b78 c 2d 6432 b 6235 b78 c 2d b78 c 78b 622 d b78 c 2d 6432 b78 c 2d 63e 78b 78c 2d 638 b78 b32 b 76 b2d 638 b2d 632 d 63b 32b 76 b2 d;
the data to be signed is 3a3e11fd8d6a7a89353882053f87ef124526dbb61968374f0b5c576d19f9d164f39988be01e86 eee-BEGIN CERTIFICATE-BEGIN
MIIDSjCCAjICFDo+Ef2NanqJNTiCBT+H7xJFJtu2MA0GCSqGSIb3DQEBCwUAMGAx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UEBwwCQkoxDzANBgNVBAoM
BmZ0c2FmZTENMAsGA1UECwwESlJaRDEXMBUGA1UEAwwOZnRzYWZlIHJvb3QgY2Ew
HhcNMTgxMTAxMDIyODA4WhcNMjgxMDI5MDIyODA4WjBjMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQ8wDQYDVQQKDAZmdHNhZmUxDTALBgNV
BAsMBEpSWkQxGjAYBgNVBAMMEWZ0c2FmZSBwcmltYXJ5IGNhMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvZihTe1to/802oEBZZrP+QENIuADUnokdjs3
cTyNT8ezpkXkxDIV6NOdrMC3i/tIAhGUd8DY+rYCPlwQIC/WxgZ6SlM3ZdeYXZ8E
/Lu/3QXtlHQxvbTtGhbuEveVYGoX+jfK6f1kZy/GENST9wlRDDph0+M6/Ns0vIn9
X42Zxw/OBujm0H9R9J3pMEVwerbD9VnOVfK++L4mRivD6JT82wba+mlfmYtvZpNs
TuQlUJh0qZoj6mllKY0Sg+67uwBFvU7h1w8MuNzhm/VQgkHTs5O7OPDX0HM6JZB2
uVbA2zPOByojeAZDRZmZhQfe6LZrplEmBh2momIQKkKV3V6n+QIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQCEjJIWQbYT4lzQRQL6U9kt5o6iaVRZhkvG1B/AYCPo7ip0
hfRawi7PVEGgkCDZ0S3hh0eCGExnoYGSV600eKGjr/6Uvh3OVynv0mjeQ/NkoJp0
hdfpknWqKQs9RVgm/Wn16LcsDHupBPfa5l06MyOrwWbkKivPkeHOuGAHS5jogBmF
fXebh8dam8N23mmzOOxUeGUZJMz7jmOhapvLV6aQhfJbS56pxzJFQQzDyX9g/TIx
ERl6dzuiBtLigFm7BfFSikmp9MUipcCUo4g2Zczsg2PwLxqgRofpVg6Ef3sNYoZP
nqqAFnopZzyfPETgwvdYIl6TAuazyTM4UviobO57
-----END CERTIFICATE-----
The private key in the privilege level data packet authentication certificate is as follows: BEGIN RSA PRIVATE KEY-
MIIEogIBAAKCAQEAvZihTe1to/802oEBZZrP+QENIuADUnokdjs3cTyNT8ezpkXk
xDIV6NOdrMC3i/tIAhGUd8DY+rYCPlwQIC/WxgZ6SlM3ZdeYXZ8E/Lu/3QXtlHQx
vbTtGhbuEveVYGoX+jfK6f1kZy/GENST9wlRDDph0+M6/Ns0vIn9X42Zxw/OBujm
0H9R9J3pMEVwerbD9VnOVfK++L4mRivD6JT82wba+mlfmYtvZpNsTuQlUJh0qZoj
6mllKY0Sg+67uwBFvU7h1w8MuNzhm/VQgkHTs5O7OPDX0HM6JZB2uVbA2zPOByoj
eAZDRZmZhQfe6LZrplEmBh2momIQKkKV3V6n+QIDAQABAoIBAFXEiRvmj1XD6lX6
S/Z5vSFIr3eaXQZfiMUPbrpECS0RCxzpu15hxfWIXWi72YxyhRWifEZcMAvicEtj
fEwDOCZm4cVjtcjVafDYMfpeuKG0v9ALbEEEasoFm3drFuEBvY0M1jdZ0KS5QOF2
OOVlCov8kSq4PYQLaeTsi3lBZlJc9Yfq4eE6KLyQSTU+KDRnWO9tvtEeBnNFYin8
+uh0iNqlFiYI5em/XP57vxrs+CEPjNgpy43yKegRi0AfrzdRsjTyY56cOtZCEIW+
hbHzF9HnqPIrHBG9eToEDdozbSF1lpccfTUbc1zu/xYU+Q21M7WrTWO98OBXw3pI
M7v19J0CgYEA48DCMm1FFVQHTSt9qmQrNFk4gW8C+IhF97uQvTmjh1rKP7QtgdtU
Ake2PctLH8j3FVPwNkVz+JqU0aIiFDOhdl/fH5fE2V6tQUWma+RU2DRCjk+mjhtl
H5HQZUIFob00/XWsm4DHEpLgDNY05ZGXKWkYduf1RxcW0ybsDrUVlCMCgYEA1Rxh
Y7FzeDGIwJmvzKDl41yxI5o1Os0bRCAk6OFksIceip3ThaTRmvTFWlJpmRnDHlm+
GhlpccE0M/v7Kvp5jnfGz7NRnTiWnftAm2fj3awaNOrYEBrZAgPhkqsfxR/1OsE3
CGEj2RN8HJ41wao9ZB14fLKxa+7MIjN/cK3hFzMCgYB4xsW0/CFAeDkPAVs4urn2
nsHKUdZfedSw1PSihChmJQ1Pzvq6/FaGhwTrrB0AlBADbWnbPeWMFl2I9dPgpqif
H6QxGsi3BPAXxxnD6Wfc54nL8g0/GuP7Y9YBfIuEA9RP/NE1/YqUHPNXm1idzSE+
Qo9IryVxN5tRCjjwa7MvxQKBgCFix9MRarCKugzKRuM81abvz4RvVSV4GmxqyL1/
CgIpuNwoa4nFT10COaSzwn1MruejUYfPMViz1tTKBgguozpxg0Doq8GAqv/m67Es
7mK84oIlxGGJgzOwnfcXPevo3Mcum8uBRFdumQP2uR8051c20rheWjM5fttgy/dA
FkJHAoGAALnG/2HyoJIMGQ3yQZNpQ+s47JdvEtKEOQznUsie3mBfBL1KZ2SAW5wG
sdLtudVa9pn2LCDC0tQvwZn9ZZlfM2yaFDHr7b8ax5TP3f9shGvyih4mRbu8ocBv
09+Ld0lkuqPvrq7mpcpfVCaDUPcfGfBrALBWW9bjfLrtUGLnghQ=
-----END RSA PRIVATE KEY-----
The first signature value is: 4D461CD99BF4D30C80E57ACE4BE542B78B3112FB36D7DBB7C3AFF5892918F859B816750490D1C98122AF1645FB254FC5D2AC30FC89D91FB9B6F58EDD89F408EE2BCD2A7F25DD745D19B2D6ED5D2CA2E1B257F84618FB 8F9EA4FFFE3A20F3A742709F54E97CE0F458A6A11E6D60895ADA18FC19527 DBC 96D 3D79FB7A6AD CBC 060A0C 70932B 464C 3E8761F0BC 395F 395B3BA1A2 FF 35FF9398F 180933226AA 12E 12B2EC 635B 32752E 24 DE 35B 35F 936 AA 35 DE 649E 12B2EC 24B 32752 DE 35F 35 DE 35B 35 DE 35B 35 DE 35B 3659 DE 35B 9DE 35B 35 DE 35B 9DE 35B 3659C 24F 35B 9DE 35C 24 DE 35;
the privilege level rebinding data packet is 3a3e11fd8d6a7a89353882053f87ef124526dbb61968374f0b5c576d19f9d164f39988be01e86 eee-BEGIN-terminate-update
MIIDSjCCAjICFDo+Ef2NanqJNTiCBT+H7xJFJtu2MA0GCSqGSIb3DQEBCwUAMGAx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UEBwwCQkoxDzANBgNVBAoM
BmZ0c2FmZTENMAsGA1UECwwESlJaRDEXMBUGA1UEAwwOZnRzYWZlIHJvb3QgY2Ew
HhcNMTgxMTAxMDIyODA4WhcNMjgxMDI5MDIyODA4WjBjMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQ8wDQYDVQQKDAZmdHNhZmUxDTALBgNV
BAsMBEpSWkQxGjAYBgNVBAMMEWZ0c2FmZSBwcmltYXJ5IGNhMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvZihTe1to/802oEBZZrP+QENIuADUnokdjs3
cTyNT8ezpkXkxDIV6NOdrMC3i/tIAhGUd8DY+rYCPlwQIC/WxgZ6SlM3ZdeYXZ8E
/Lu/3QXtlHQxvbTtGhbuEveVYGoX+jfK6f1kZy/GENST9wlRDDph0+M6/Ns0vIn9
X42Zxw/OBujm0H9R9J3pMEVwerbD9VnOVfK++L4mRivD6JT82wba+mlfmYtvZpNs
TuQlUJh0qZoj6mllKY0Sg+67uwBFvU7h1w8MuNzhm/VQgkHTs5O7OPDX0HM6JZB2
uVbA2zPOByojeAZDRZmZhQfe6LZrplEmBh2momIQKkKV3V6n+QIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQCEjJIWQbYT4lzQRQL6U9kt5o6iaVRZhkvG1B/AYCPo7ip0
hfRawi7PVEGgkCDZ0S3hh0eCGExnoYGSV600eKGjr/6Uvh3OVynv0mjeQ/NkoJp0
hdfpknWqKQs9RVgm/Wn16LcsDHupBPfa5l06MyOrwWbkKivPkeHOuGAHS5jogBmF
fXebh8dam8N23mmzOOxUeGUZJMz7jmOhapvLV6aQhfJbS56pxzJFQQzDyX9g/TIx
ERl6dzuiBtLigFm7BfFSikmp9MUipcCUo4g2Zczsg2PwLxqgRofpVg6Ef3sNYoZP
nqqAFnopZzyfPETgwvdYIl6TAuazyTM4UviobO57
-----END
CERTIFICATE-----4D461CD99BF4D30C80E57ACE4BE542B78B3112FB36D7DBB7C3AFF5892918F859B816750490D1C98122AF1645FB254FC5D2AC30FC89D91FB9B6F58EDD89F408EE2BCD2A7F25DD745D19B2D6ED5D2CA2E1B257F84618FB8BB8F9EA4FFFE3A20F3A742709F54E97CE0F458A6A11E6D60895ADA18FC19527DBEB96C3D79FB7A6AD212CBC6155706C060A0C918B70932DD4C3E8761F0BC395B3BA1A2F35FF9398F724AC180933226AA9E12B2EC752AE766BC14B3236E035751394694F1725DBACE02FE8A7388A30B035FA085966B1D41C7F43FDDE2779118857721CBAA4AFDB7091197086EA09C6246E5771DF8FE629A00C6F14C01D20C5E7C668CB8BE9B696F88CF0;
Step 107: the privilege level server transmits the privilege level rebinding data packet to the terminal;
step 108: the terminal verifies the first signature value in the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the step 109 is executed, and if the verification is failed, an error is reported;
specifically, in this embodiment, step 108 includes: the terminal sequentially splices the terminal certificate identification, the server certificate identification and the privileged server certificate in the privileged rebinding data packet to generate a first splicing result, performs Hash operation on the first splicing result to obtain a first Hash result, decrypts a first signature value in the privileged rebinding data packet by using a public key in a stored privileged data packet authentication certificate to obtain a first decryption result, judges whether the first Hash result is consistent with the first decryption result, if so, the verification is successful, otherwise, the verification is failed;
for example, the first splicing result in this embodiment is 3a3e11fd8d6a7a89353882053f87ef124526dbb61968374f0b5c576d19f9d164f39988be01e86 eee-BEGIN CERTIFICATE-BEGIN
MIIDSjCCAjICFDo+Ef2NanqJNTiCBT+H7xJFJtu2MA0GCSqGSIb3DQEBCwUAMGAx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UEBwwCQkoxDzANBgNVBAoM
BmZ0c2FmZTENMAsGA1UECwwESlJaRDEXMBUGA1UEAwwOZnRzYWZlIHJvb3QgY2Ew
HhcNMTgxMTAxMDIyODA4WhcNMjgxMDI5MDIyODA4WjBjMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQ8wDQYDVQQKDAZmdHNhZmUxDTALBgNV
BAsMBEpSWkQxGjAYBgNVBAMMEWZ0c2FmZSBwcmltYXJ5IGNhMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvZihTe1to/802oEBZZrP+QENIuADUnokdjs3
cTyNT8ezpkXkxDIV6NOdrMC3i/tIAhGUd8DY+rYCPlwQIC/WxgZ6SlM3ZdeYXZ8E
/Lu/3QXtlHQxvbTtGhbuEveVYGoX+jfK6f1kZy/GENST9wlRDDph0+M6/Ns0vIn9
X42Zxw/OBujm0H9R9J3pMEVwerbD9VnOVfK++L4mRivD6JT82wba+mlfmYtvZpNs
TuQlUJh0qZoj6mllKY0Sg+67uwBFvU7h1w8MuNzhm/VQgkHTs5O7OPDX0HM6JZB2
uVbA2zPOByojeAZDRZmZhQfe6LZrplEmBh2momIQKkKV3V6n+QIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQCEjJIWQbYT4lzQRQL6U9kt5o6iaVRZhkvG1B/AYCPo7ip0
hfRawi7PVEGgkCDZ0S3hh0eCGExnoYGSV600eKGjr/6Uvh3OVynv0mjeQ/NkoJp0
hdfpknWqKQs9RVgm/Wn16LcsDHupBPfa5l06MyOrwWbkKivPkeHOuGAHS5jogBmF
fXebh8dam8N23mmzOOxUeGUZJMz7jmOhapvLV6aQhfJbS56pxzJFQQzDyX9g/TIx
ERl6dzuiBtLigFm7BfFSikmp9MUipcCUo4g2Zczsg2PwLxqgRofpVg6Ef3sNYoZP
nqqAFnopZzyfPETgwvdYIl6TAuazyTM4UviobO57
-----END CERTIFICATE-----
The first hash result is 8796403878C0F4FCD4CB5F0616E3C7A1E2998EA352a74615BEA15AD1ABE1E5 FB; the public key in the special-right-level data packet authentication certificate is ca06bf283c4686a3f44d7b77bc440d9d5c6f083a03556bb3bbc cf4efe98970b65fa2297a172d0 acbecec 10e56ca917862926f6773ff730180c452c106e10df80716c679592cee f 2608 a 2748a3e23b7b21a231bc2fc8b8fcd345c7d99586cbb26e9b0e6f5acb4 8508 cf9e0bcbe511f91e6c7101963320f796843dc 766f198252bee f3d1c0a065658ebb d4e 9dc 766f 35f 210594 c3d 989e 3c 065658ebb d 3f 8b 35 c 3978 a 649 e 8d 8f 48 b 35 c 78b 35 b78 f 26 b 35 b78b 35 b26 c 26 b26 c8b 26 b8b 35f 26 b 35 c 78c 8b 35 b78 f 26 b78b 35 b8b 35 b8b 35 b3b 35 b3b 8b 35 b8 b; the first decryption result is 8796403878C0F4FCD4CB5F0616E3C7A1E2998EA352A74615BEA15AD1ABE1E5 FB;
step 109: the terminal judges whether the terminal certificate identifier in the privilege level rebinding data packet is matched with the stored terminal certificate identifier, if so, the step 110 is executed, otherwise, an error is reported;
step 110: the terminal judges whether the server certificate identifier in the privilege level rebinding data packet is matched with the server certificate identifier in the stored common server certificate, if so, the step 111 is executed, otherwise, an error is reported;
step 111: the terminal uses the stored privilege level server authentication public key to verify the privilege level and rebind the privilege level server certificate in the data packet, if the verification is successful, the step 112 is executed, and if the verification is failed, an error is reported;
specifically, in this embodiment, step 111 includes: the terminal decrypts the signature value in the privilege level server certificate in the privilege level rebinding data packet by using the stored privilege level server authentication public key to obtain a second decryption result, performs hash operation on the data to be signed in the privilege level server certificate in the privilege level rebinding data packet to obtain a second hash result, judges whether the second decryption result is consistent with the second hash result, if yes, successfully executes the step 112, otherwise, fails to verify, and reports an error;
for example, the privilege level server authentication public key in this embodiment is abfeb8d0966f922d1e577784cfc aeab02395bbe bd2e1a9007d7b1de4581be60c1788353c9fa7bda f15603858b9a0482eab3e285552 d3098db129c17e9bf0a08f1b 898 f25de888f1295f0783ae2a743591175d51235e02d6702004002487a437fd1dad0d9291249058de 369f 369 4b2 dccd619 ba52a27 abd30f50deea8722 f 8738 fd3c103594f01e332afa181b478386af0898b9901a15572307fb2d 1fa8a3a 3a b478386a 088 b 0898b 998 b 888 b 988b 608 b 6035 b 35 c35 b; the signature value in the privilege level server certificate is 23687BDEB7BE0CAD7A304BDD4DCB2140A28B6D2E6BBA5A37DD300762C5187A6D6796E89E5187C296A2434FFC978905A03378EF221E734312447E44B0D6AD7E3DA39EBC3CD55AB50F857E274A4F73BAB4256B132E 1B1091838ED990A58B5C384C475AFA50852FA967E6E 5D5A7E AD8BDBA D445AB948567E 3835A9197F 9197C 15CF859 FDBA 4D 067A4A24B5C6D DDD 990A 41C 41B5E04B2553473DB686894221EBAD4FE 3835E 3835A9197F 9197C 15CF859 DD 35A 35B 35 DD 48A 35A 48C 35 DD 78 DD 19A 35A 48B 35D 35A 48D 35A 48B 35A 48A 35D 35A 35D 35A 35B 35D 38D 35A 35B 38D 35A 42D 38D 35A 42D 35A 4135A 42D 35A 42D 38; the second decryption result is D0A42DFCF28A25138EB266831A65091D88619570C4F545ABEE5ABABE0D2 FEDAF; the second hash result is D0a42DFCF28a25138EB266831a65091D88619570C4F545ABEE5ABABE0D2 feadf;
step 112: the terminal judges whether the privilege level server certificate in the privilege level rebinding data packet is valid, if so, the step 113 is executed, otherwise, an error is reported;
specifically, in this embodiment, step 112 includes: the terminal judges whether the effective date in the privileged server certificate in the privileged rebinding data packet is smaller than the current date, if so, the privileged server certificate is valid, otherwise, the privileged server certificate is invalid;
for example, the validity periods 2018/11/1 through 2028/10/29 in the present embodiment, the privilege level server certificate is determined to be valid;
in the present embodiment, the sequence of steps 108-112 can be changed arbitrarily;
step 113: the terminal clears all the stored keys, and replaces the stored common server certificate with the privilege level server certificate in the privilege level rebinding data packet; returning a successful response of rebinding the certificate of the privilege level server to the privilege level server;
for example, in this embodiment, the privileged server certificate is:
-----BEGIN CERTIFICATE-----
MIIDSjCCAjICFDo+Ef2NanqJNTiCBT+H7xJFJtu2MA0GCSqGSIb3DQEBCwUAMGAx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UEBwwCQkoxDzANBgNVBAoM
BmZ0c2FmZTENMAsGA1UECwwESlJaRDEXMBUGA1UEAwwOZnRzYWZlIHJvb3QgY2Ew
HhcNMTgxMTAxMDIyODA4WhcNMjgxMDI5MDIyODA4WjBjMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAcMAkJKMQ8wDQYDVQQKDAZmdHNhZmUxDTALBgNV
BAsMBEpSWkQxGjAYBgNVBAMMEWZ0c2FmZSBwcmltYXJ5IGNhMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvZihTe1to/802oEBZZrP+QENIuADUnokdjs3
cTyNT8ezpkXkxDIV6NOdrMC3i/tIAhGUd8DY+rYCPlwQIC/WxgZ6SlM3ZdeYXZ8E
/Lu/3QXtlHQxvbTtGhbuEveVYGoX+jfK6f1kZy/GENST9wlRDDph0+M6/Ns0vIn9
X42Zxw/OBujm0H9R9J3pMEVwerbD9VnOVfK++L4mRivD6JT82wba+mlfmYtvZpNs
TuQlUJh0qZoj6mllKY0Sg+67uwBFvU7h1w8MuNzhm/VQgkHTs5O7OPDX0HM6JZB2
uVbA2zPOByojeAZDRZmZhQfe6LZrplEmBh2momIQKkKV3V6n+QIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQCEjJIWQbYT4lzQRQL6U9kt5o6iaVRZhkvG1B/AYCPo7ip0
hfRawi7PVEGgkCDZ0S3hh0eCGExnoYGSV600eKGjr/6Uvh3OVynv0mjeQ/NkoJp0
hdfpknWqKQs9RVgm/Wn16LcsDHupBPfa5l06MyOrwWbkKivPkeHOuGAHS5jogBmF
fXebh8dam8N23mmzOOxUeGUZJMz7jmOhapvLV6aQhfJbS56pxzJFQQzDyX9g/TIx
ERl6dzuiBtLigFm7BfFSikmp9MUipcCUo4g2Zczsg2PwLxqgRofpVg6Ef3sNYoZP
nqqAFnopZzyfPETgwvdYIl6TAuazyTM4UviobO57
-----END CERTIFICATE-----
replacement by BEGIN CERTIFICATE
MIIEozCCA4ugAwIBAgIQTGaFBtjhjCQNCR7WBEyYTDANBgkqhkiG9w0BAQsFADCB
nzELMAkGA1UEBhMCTFUxKTAnBgNVBAoTIFNwaXJlIFBheW1lbnRzIEhvbGRpbmdz
IFMuYS5yLmwuMTowOAYDVQQLEzFTcGlyZSBQYXltZW50cyBTZWN1cml0eSBhbmQg
UmVndWxhdG9yeSBDb21wbGlhbmNlMSkwJwYDVQQDEyBTcGlyZSBQYXltZW50cyBQ
cmltYXJ5IENBIHYyIDAwMDAeFw0xNDEwMDYwOTMzMjRaFw0zODEwMDcwOTA5MjVa
MIGlMQswCQYDVQQGEwJMVTEpMCcGA1UEChMgU3BpcmUgUGF5bWVudHMgSG9sZGlu
Z3MgUy5hLnIubC4xOjA4BgNVBAsTMVNwaXJlIFBheW1lbnRzIFNlY3VyaXR5IGFu
ZCBSZWd1bGF0b3J5IENvbXBsaWFuY2UxLzAtBgNVBAMTJlNwaXJlIFBheW1lbnRz
IE1hbnVmYWN0dXJpbmcgQ0EgdjIgMDAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAu3gxdpaQHMfI+9KNiqiH2sMQZ6rRze4Oy4z1N4T6aUWXaE7IRiQl
78kJDDcahaE+P+NJzzB4hNlMQv57nIaddvImFyumZGQV0YQyw3nfECFuzDCVDpqI
nbfCfICk1RnBurY9bc4FMANAjshYMHyMM1MFmUAnTSEYAx9V5Wsy1l31JR62GwPT
jiU1akTjXTgH3tgL6yKNnZStcTftSKbGUmo5O8EoKRlKY7x6P85o4X1kmCN4u9jr
WHHQbAsLjQclkqs8UKtbtuoaYt5nOeJCN6+RPma9UcQteN1aLnBWfCqUYlWFW9Fz
t8i+z7MMjvqSFQpcumu3effVp87aHug4jwIDAQABo4HSMIHPMG8GA1UdIARoMGYw
ZAYKKwYBBAGCulICATBWMFQGCCsGAQUFBwIBFkhodHRwOi8vc2xzLXNwb2ludC9n
bG9iYWwvc3BpcmVwa2kvU2hhcmVkJTIwRG9jdW1lbnRzL0Zvcm1zL0FsbEl0ZW1z
LmFzcHgwDgYDVR0PAQH/BAQDAgEGMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLaO
HOH+KJxpOY/DjuxtvY0jhVFvMB8GA1UdIwQYMBaAFBb17vHNuq2aerP2NZrNXf4b
vAe6MA0GCSqGSIb3DQEBCwUAA4IBAQBruLP3P776oGNZQGM3nlGdOeflAA+ugNGS
aDJOofBbUA6C6ilre4+4Cxj6ZL4DOYdLicEC7kT4AkguYf+SnxLC6ejZkaruNGD1
32hPS1k79hHj2+7/qRBWkdHOUIiLj7paEXGye6p/ArfwROtPTI9vnyG6t/fydpcg
jqBa35Qb90x2UFXQHA7CSEnbnyT9pnDfhcFwsKSCtjBUES3OPUHqSiNU1jWI4/7b
WwNKQGA+EN/tR6eb/euXQobgxe8KVNaivypYBFNQFRtmprSUrCt3nnfGDgvu4aL6
SROYJeCNzXrV2bI5ipmZIS1RX/iYlRzQnSbVbO+njz4ymsHWEzw4
-----END CERTIFICATE-----
The successful response of the re-binding of the server certificate at the privilege level is A80000, and if the re-binding of the server certificate at the privilege level fails, the returned failure response is A80001 failure;
step 114: the privileged server returns a receiving success response to the terminal;
optionally, in this embodiment, if the privileged server fails to accept, a reception failure response is returned to the terminal, for example, the reception failure response is a 60001, and the reception success response is a 60000;
step 115: the terminal generates a random number and sends the random number to the privilege level server;
for example, the random number generated in the present embodiment is 696529C7DBD6815683C3599FFFBB2B 7D;
step 116: the privilege level server receives the random number and discards the random number;
step 117: the special right level server acquires a corresponding terminal certificate identifier and a common server identifier according to the special right level unbinding instruction, and forms a special right level unbinding data packet according to the terminal certificate identifier and a server certificate identifier in a common server certificate corresponding to the common server identifier;
specifically, in this embodiment, step 117 includes: the server acquires a terminal identifier and a common server identifier from the privilege level unbinding instruction, acquires a stored corresponding terminal certificate identifier according to the terminal identifier, acquires a server certificate identifier from a common server certificate corresponding to the common server identifier, sequentially splices the terminal certificate identifier and the server certificate identifier to obtain a first spliced value, performs hash operation on the first spliced value to obtain a second hash operation result, encrypts the second hash operation result by using a private key in the privilege level data packet authentication certificate to obtain a second signature value, and sequentially splices the terminal certificate identifier, the server certificate identifier and the second signature value to obtain a privilege level unbinding data packet;
for example, the terminal identifier in this embodiment is 3a3e11fd8d6a7a89353882053f87ef124526dbb6, the terminal certificate identifier is 3a3e11fd8d6a7a89353882053f87ef124526dbb6, and the server certificate identifier is 1968374f0b5c576d19f9d164f39988be01e86 eee; the first splice value is 3a3e11fd8d6a7a89353882053f87ef124526dbb61968374f0b5c576d19f9d164f39988be01e86 eee;
the private key in the privilege level data packet authentication certificate is as follows: BEGIN RSA PRIVATE KEY-
MIIEogIBAAKCAQEAvZihTe1to/802oEBZZrP+QENIuADUnokdjs3cTyNT8ezpkXk
xDIV6NOdrMC3i/tIAhGUd8DY+rYCPlwQIC/WxgZ6SlM3ZdeYXZ8E/Lu/3QXtlHQx
vbTtGhbuEveVYGoX+jfK6f1kZy/GENST9wlRDDph0+M6/Ns0vIn9X42Zxw/OBujm
0H9R9J3pMEVwerbD9VnOVfK++L4mRivD6JT82wba+mlfmYtvZpNsTuQlUJh0qZoj
6mllKY0Sg+67uwBFvU7h1w8MuNzhm/VQgkHTs5O7OPDX0HM6JZB2uVbA2zPOByoj
eAZDRZmZhQfe6LZrplEmBh2momIQKkKV3V6n+QIDAQABAoIBAFXEiRvmj1XD6lX6
S/Z5vSFIr3eaXQZfiMUPbrpECS0RCxzpu15hxfWIXWi72YxyhRWifEZcMAvicEtj
fEwDOCZm4cVjtcjVafDYMfpeuKG0v9ALbEEEasoFm3drFuEBvY0M1jdZ0KS5QOF2
OOVlCov8kSq4PYQLaeTsi3lBZlJc9Yfq4eE6KLyQSTU+KDRnWO9tvtEeBnNFYin8
+uh0iNqlFiYI5em/XP57vxrs+CEPjNgpy43yKegRi0AfrzdRsjTyY56cOtZCEIW+
hbHzF9HnqPIrHBG9eToEDdozbSF1lpccfTUbc1zu/xYU+Q21M7WrTWO98OBXw3pI
M7v19J0CgYEA48DCMm1FFVQHTSt9qmQrNFk4gW8C+IhF97uQvTmjh1rKP7QtgdtU
Ake2PctLH8j3FVPwNkVz+JqU0aIiFDOhdl/fH5fE2V6tQUWma+RU2DRCjk+mjhtl
H5HQZUIFob00/XWsm4DHEpLgDNY05ZGXKWkYduf1RxcW0ybsDrUVlCMCgYEA1Rxh
Y7FzeDGIwJmvzKDl41yxI5o1Os0bRCAk6OFksIceip3ThaTRmvTFWlJpmRnDHlm+
GhlpccE0M/v7Kvp5jnfGz7NRnTiWnftAm2fj3awaNOrYEBrZAgPhkqsfxR/1OsE3
CGEj2RN8HJ41wao9ZB14fLKxa+7MIjN/cK3hFzMCgYB4xsW0/CFAeDkPAVs4urn2
nsHKUdZfedSw1PSihChmJQ1Pzvq6/FaGhwTrrB0AlBADbWnbPeWMFl2I9dPgpqif
H6QxGsi3BPAXxxnD6Wfc54nL8g0/GuP7Y9YBfIuEA9RP/NE1/YqUHPNXm1idzSE+
Qo9IryVxN5tRCjjwa7MvxQKBgCFix9MRarCKugzKRuM81abvz4RvVSV4GmxqyL1/
CgIpuNwoa4nFT10COaSzwn1MruejUYfPMViz1tTKBgguozpxg0Doq8GAqv/m67Es
7mK84oIlxGGJgzOwnfcXPevo3Mcum8uBRFdumQP2uR8051c20rheWjM5fttgy/dA
FkJHAoGAALnG/2HyoJIMGQ3yQZNpQ+s47JdvEtKEOQznUsie3mBfBL1KZ2SAW5wG
sdLtudVa9pn2LCDC0tQvwZn9ZZlfM2yaFDHr7b8ax5TP3f9shGvyih4mRbu8ocBv
09+Ld0lkuqPvrq7mpcpfVCaDUPcfGfBrALBWW9bjfLrtUGLnghQ=
-----END RSA PRIVATE KEY-----
The second signature value is 8F5E2210FB8A9E78A8DD68F6537A5BBC988F6D8F39C11F1A9DCC53B10F3a63BE 2A2C8FC756BE5D5E2E2210D74E0031201F8BFE8F5599F1BAD6E51B715FB6FA09FE1909F9FEE8439164EAC95CC1AE507BA6B68D61261373ED58617686EE47CFB 6E 1DBE39a2141C166054a07EC0DA4D3B59 ccd250D0E50310BE 10F 215CDA 215F 215CDA5D30AC345E0D 60474287D6FC 634B 4A6AAD1F DF 81F 197EBF15AE6C748484539FD5BE47C 5B 5BD9B2FD 369B 8B 35a 35B 35a C2B 35a C35 a B35B 8B 35B 8B 35B 8B 35C 2B 8B 3C 2B 8;
the special right grade unbinding data packet is 3a3E11FD8D6a7a89353882053F87ef124526dbb61968374F0B5C576D19F9D164F39988BE01E86eee8F5E2210FB8A9E 8DD68F6537 A5C 988F6D8F39C11F1 bbb 9DCC53B10F3a63BEE2A2C 8BE 756 5D5E2E2210D74E0031201F8BFE8F5599F1BAD6E51B715FB6FA09 FE9F 8439164EAC95CC 1BA 6B68D61261373ED58617686 CFB786112E1DBE39a 537 1C166054a07 DA 0D 3B59 AAD 0E 10 cdbe 1F 215 A5D 30E 345 AC 47B 35B 19B 35B 19B 35B 47B 35B;
step 118: the privilege level server sends the privilege level unbinding data packet to the terminal;
step 119: the terminal verifies the second signature value in the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the step 120 is executed, and if the verification is failed, an error is reported;
specifically, in this embodiment, step 119 includes: the terminal sequentially splices the terminal certificate identification and the server certificate identification in the privilege level unbinding data packet to generate a second splicing result, carries out Hash operation on the second splicing result to obtain a third Hash result, decrypts a second signature value in the privilege level unbinding data packet by using a public key in a stored privilege level data packet authentication certificate to obtain a third decryption result, judges whether the third Hash result is consistent with the third decryption result, if so, the verification is successful, otherwise, the verification is failed;
for example, the second stitching result in this embodiment is 3a3e11fd8d6a7a89353882053f87ef124526dbb61968374f0b5c576d19f9d164f39988be01e86 eee; the second hash result is 807EE7605A5CD1B047192D26854B50A078431870EE0C01B4981835291126F8F 0; the public key in the special-right-level data packet authentication certificate is ca06bf283c4686a3f44d7b77bc440d9d5c6f083a03556bb3bbc cf4efe98970b65fa2297a172d0 acbecec 10e56ca917862926f6773ff730180c452c106e10df80716c679592cee f 2608 a 2748a3e23b7b21a231bc2fc8b8fcd345c7d99586cbb26e9b0e6f5acb4 8508 cf9e0bcbe511f91e6c7101963320f796843dc 766f198252bee f3d1c0a065658ebb d4e 9dc 766f 35f 210594 c3d 989e 3c 065658ebb d 3f 8b 35 c 3978 a 649 e 8d 8f 48 b 35 c 78b 35 b78 f 26 b 35 b78b 35 b26 c 26 b26 c8b 26 b8b 35f 26 b 35 c 78c 8b 35 b78 f 26 b78b 35 b8b 35 b8b 35 b3b 35 b3b 8b 35 b8 b; the first decryption result is 807EE7605A5CD1B047192D26854B50A078431870EE0C01B4981835291126F8F 0;
step 120: the terminal judges whether the terminal certificate identification in the privilege level unbinding data packet is matched with the stored terminal certificate identification, if so, the step 121 is executed, otherwise, an error is reported;
step 121: the terminal judges whether the server certificate identification in the privilege level unbinding data packet is matched with the server certificate identification in the stored common server certificate, if so, the step 122 is executed, otherwise, an error is reported;
step 122: the terminal clears all keys and common server certificates stored.
The method realizes the process of rebinding the special-right server and/or the process of rebinding the special-right server with the terminal which loses the ability of executing the 'unbinding' or the 'rebinding', and is safe, reliable and low in cost.
EXAMPLE III
A third embodiment of the present invention provides a system for implementing terminal unbinding and re-binding, as shown in fig. 4, including a terminal 31 and a privileged server 32, where the terminal 31 prestores a privileged level data packet authentication certificate, a general server certificate and a privileged level server authentication public key, and the privileged level server 32 prestores a privileged level server certificate and multiple general server certificates;
the terminal 31 includes: a first sending module 311, a first receiving module 312, a first verifying module 313, a clearing replacing module 314, a second verifying module 315, and a clearing module 316;
the privilege level server 32 includes: a second receiving module 321, a first judging module 322, a first generating module 323, a second sending module 324, and an obtaining and composing module 325;
a first sending module 311, configured to send a key management instruction to the privileged server 32 when the terminal 31 receives the trigger information of the user;
a second receiving module 321, configured to receive a key management instruction sent by the terminal 31;
a first determining module 322, configured to determine a type of the key management instruction received by the second receiving module 321, trigger the first generating module 323 if the key management instruction is a privilege level re-binding instruction, and trigger the obtaining module 325 if the key management instruction is a privilege level unbinding instruction;
the first generation module 323 is used for acquiring a corresponding terminal certificate identifier and a common server identifier according to the privilege level rebinding instruction, and generating a privilege level rebinding data packet according to the terminal certificate identifier, the server certificate identifier in the common server certificate corresponding to the common server identifier and a stored privilege level server certificate;
a second sending module 324, configured to send the privilege-level rebinding data packet generated by the first generating module 323 to the terminal 31;
a first receiving module 312, configured to receive the privilege-level rebinding data packet sent by the privilege-level server 32;
the first verification module 313 is configured to verify the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate and the privilege level server authentication public key, trigger the removal and replacement module 314 if the verification is successful, and report an error if the verification fails;
a clear replace module 314, configured to clear all the stored keys, and replace the stored ordinary server certificate with the privilege-level server certificate in the privilege-level rebinding packet;
an obtaining and composing module 325, configured to obtain a corresponding terminal certificate identifier and a general server identifier according to the privilege level unbinding instruction, and compose a privilege level unbinding data packet according to the terminal certificate identifier and a server certificate identifier in a general server certificate corresponding to the general server identifier;
the second sending module 324 is further configured to send the privilege level unbinding packet composed by the obtaining and composing module 325 to the terminal 31;
the first receiving module 312 is further configured to receive the privilege level unbind data packet sent by the privilege level server 32;
a second verification module 315, configured to verify the privilege level unbinding packet received by the first receiving module 312 by using the stored privilege level packet authentication certificate, trigger the clearing module 316 if the verification is successful, and report an error if the verification is failed;
a clearing module 316, configured to clear all the stored keys and common server certificates;
the first authentication module 313 includes:
the first verification unit is used for verifying the first signature value in the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the first verification unit continues, and if the verification is failed, an error is reported;
the first judgment unit is used for judging whether the terminal certificate identifier in the privilege level rebinding data packet is matched with the stored terminal certificate identifier, if so, continuing, otherwise, failing to verify, and reporting an error;
the second judgment unit is used for judging whether the server certificate identifier in the privilege level rebinding data packet is matched with the server certificate identifier in the stored common server certificate, if so, continuing, otherwise, failing to verify and reporting an error;
the second verification unit is used for verifying the privilege level and rebinding the privilege level server certificate in the data packet by using the saved privilege level server authentication public key, if the verification is successful, the operation continues, and if the verification is failed, an error is reported;
the third judging unit is used for judging whether the privilege level server certificate in the privilege level rebinding data packet is valid or not, if so, continuing, and otherwise, failing to verify, and reporting an error;
when the first judging unit, the second judging unit and the third judging unit all judge yes and the first verifying unit and the second verifying unit all verify, the replacement module 314 is triggered to be cleared, otherwise, an error is reported;
the second verification module 315 includes:
the third verification unit is used for verifying the second signature value in the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the second signature value is continued, and if the verification is failed, an error is reported;
a fourth judging unit, configured to judge whether the terminal certificate identifier in the privilege level unbinding packet matches the stored terminal certificate identifier, if yes, continue, otherwise, fail to verify, and report an error;
a fifth judging unit, configured to judge whether the server certificate identifier in the privilege level unbinding packet matches the server certificate identifier in the stored general server certificate, if so, continuing, otherwise, failing to verify, and reporting an error;
and when the fourth judging unit and the fifth judging unit both judge yes and the third verifying unit passes the verification, the clearing module 316 is triggered, otherwise, an error is reported.
In this embodiment, the first determining module 322 is specifically configured to determine preset byte data in the key management instruction, and if the preset byte data is a first value, the preset byte data is a privilege level unbinding instruction, and trigger the first generating module 323, and if the preset byte data is a second value, the preset byte data is a privilege level rebinding instruction, and the obtaining component module 325 is triggered.
The first generating module 323 is specifically configured to obtain a terminal identifier and a general server identifier from the privilege level rebinding instruction, obtain a stored corresponding terminal certificate identifier according to the terminal identifier, obtain a server certificate identifier from a general server certificate corresponding to the general server identifier, sequentially splice the terminal certificate identifier, the server certificate identifier, and the privilege level server certificate to generate data to be signed, perform hash operation on the data to be signed to obtain a first hash operation result, encrypt the first hash operation result by using a private key in the privilege level data packet authentication certificate to obtain a first signature value, and sequentially splice the terminal certificate identifier, the server certificate identifier, the privilege level server certificate, and the first signature value to generate a privilege level rebinding data packet.
The first verification unit is specifically configured to sequentially splice the terminal certificate identifier, the server certificate identifier, and the privileged server certificate in the privileged rebinding data packet to generate a first splicing result, perform hash operation on the first splicing result to obtain a first hash result, decrypt the first signature value in the privileged rebinding data packet by using the public key in the stored privileged data packet authentication certificate to obtain a first decryption result, determine whether the first hash result is consistent with the first decryption result, if yes, verify successfully, continue, otherwise, verify fails, and report an error.
The second verification unit is specifically configured to decrypt the signature value in the privilege level server certificate in the privilege level rebinding data packet by using the stored privilege level server authentication public key to obtain a second decryption result, perform hash operation on the data to be signed in the privilege level server certificate in the privilege level rebinding data packet to obtain a second hash result, determine whether the second decryption result is consistent with the second hash result, if so, verify the second hash result successfully, continue the verification, otherwise, verify the second hash result unsuccessfully, and report an error.
The third judging unit is specifically configured to judge whether the valid date in the privileged server certificate in the privileged rebinding data packet is smaller than the current date, if so, the privileged server certificate is valid, and continues, otherwise, the privileged server certificate is invalid, and an error is reported.
Specifically, in this embodiment, the obtaining component module 325 is specifically configured to obtain the terminal identifier and the common server identifier from the privilege level rebinding instruction, obtain the stored corresponding terminal certificate identifier according to the terminal identifier, obtain the server certificate identifier from the common server certificate corresponding to the common server identifier, sequentially splice the terminal certificate identifier and the server certificate identifier to obtain a first splice value, perform hash operation on the first splice value to obtain a second hash operation result, encrypt the second hash operation result by using a private key in the privilege level data packet authentication certificate to obtain a second signature value, and sequentially splice the terminal certificate identifier, the server certificate identifier, and the second signature value to obtain the privilege level unbinding data packet.
Correspondingly, the third verification unit is specifically configured to sequentially splice the terminal certificate identifier and the server certificate identifier in the privilege level unbind data packet to generate a second splicing result, perform hash operation on the second splicing result to obtain a third hash result, decrypt the second signature value in the privilege level unbind data packet by using the public key in the stored privilege level data packet authentication certificate to obtain a third decryption result, determine whether the third hash result is consistent with the third decryption result, if yes, verify successfully, continue, otherwise, fail to verify, and report an error.
Optionally, the terminal 31 of this embodiment further includes: a second generation module;
the second sending module 324 is further configured to return a receiving success response to the terminal 31 when the first determining module 322 determines that the privilege level re-binding instruction or the privilege level unbinding instruction is received;
the first receiving module 312 is further configured to receive a receiving success response sent by the privilege level server 32;
a second generating module, configured to generate a random number when the first receiving module 312 receives a successful receiving response;
the first sending module 311 is further configured to send the random number generated by the second generating module to the privilege level server 32;
the second receiving module 321 is further configured to receive the random number sent by the terminal 31 and discard the random number, and trigger the first generating module 323 or the obtaining and composing module 325.
The technical scheme of the invention is that the process of rebinding the special-right server and/or the common server is carried out under the condition that the terminal loses the capability of executing 'unbinding' or 'rebinding', and the invention has the advantages of safety, reliability and low cost.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (18)

1. A method for realizing terminal unbinding and rebinding is characterized in that a special right level data packet authentication certificate, a common server certificate and a special right level server authentication public key are pre-stored in a terminal, and a special right level server certificate and a plurality of common server certificates are pre-stored in a special right level server, the method comprises the following steps:
step S1: when the terminal receives the trigger information of the user, a key management instruction is sent to the privilege level server;
step S2: the privileged server receives the key management instruction and determines the type of the key management instruction, if the key management instruction is a privileged rebinding instruction, the step S3 is executed, and if the key management instruction is a privileged unbinding instruction, the step S6 is executed;
step S3: the privilege level server acquires a corresponding terminal certificate identifier and a common server identifier according to the privilege level re-binding instruction, generates a privilege level re-binding data packet according to the terminal certificate identifier, a server certificate identifier in a common server certificate corresponding to the common server identifier and a stored privilege level server certificate, and sends the privilege level re-binding data packet to the terminal;
step S4: the terminal verifies the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate and the privilege level server authentication public key, if the verification is successful, the step S5 is executed, and if the verification is failed, an error is reported;
step S5: the terminal clears all the stored keys and replaces the stored common server certificate with the privilege level server certificate in the privilege level rebinding data packet;
step S6: the special right level server acquires a corresponding terminal certificate identifier and a common server identifier according to the special right level unbinding instruction, and forms a special right level unbinding data packet according to the terminal certificate identifier and a server certificate identifier in a common server certificate corresponding to the common server identifier and sends the special right level unbinding data packet to the terminal;
step S7: the terminal verifies the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the step S8 is executed, and if the verification is failed, an error is reported;
step S8: the terminal clears all the stored keys and common server certificates;
the step S4 of verifying the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate and the privilege level server authentication public key specifically includes:
step a 1: the terminal verifies the first signature value in the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the first signature value is continued, and if the verification is failed, an error is reported;
step b 1: the terminal judges whether the terminal certificate identification in the privilege level rebinding data packet is matched with the stored terminal certificate identification, if so, the terminal continues, otherwise, the verification fails, and an error is reported;
step c 1: the terminal judges whether the server certificate identifier in the privilege level rebinding data packet is matched with the server certificate identifier in the stored common server certificate, if so, the terminal continues, otherwise, the terminal fails to verify and reports an error;
step d 1: the terminal uses the stored privilege level server authentication public key to verify the privilege level and rebind the privilege level server certificate in the data packet, if the verification is successful, the terminal continues, and if the verification fails, an error is reported;
step e 1: the terminal judges whether the privilege level server certificate in the privilege level rebinding data packet is valid, if yes, the terminal continues, and if not, the terminal fails to verify and reports an error;
said step a1 and said step d1 verify successfully and said step b1, said step c1 and said step e1 determine that all are yes, said terminal verifies successfully using the saved privilege level packet authentication certificate and the privilege level server authentication public key to said privilege level rebinding packet;
the step S7, where the terminal verifies the privilege level unbind packet using the stored privilege level packet authentication certificate, specifically includes:
step m 1: the terminal verifies the second signature value in the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the second signature value is continued, and if the verification is failed, an error is reported;
step n 1: the terminal judges whether the terminal certificate identification in the privilege level unbinding data packet is matched with the stored terminal certificate identification, if so, the terminal continues, otherwise, the verification fails, and an error is reported;
step k 1: the terminal judges whether the server certificate identification in the privilege level unbinding data packet is matched with the server certificate identification in the stored common server certificate, if so, the terminal continues, otherwise, the terminal fails to verify and reports an error;
when the verification of the step m1 is successful and the steps n1 and k1 are both judged to be yes, the terminal uses the saved privileged level data packet authentication certificate to successfully verify the second signature value in the privileged level unbinding data packet.
2. The method of claim 1, wherein the step S2 includes: and the privilege level server judges preset byte data in the key management instruction, if the preset byte data is a first value, the preset byte data is a privilege level unbinding instruction, and if the preset byte data is a second value, the preset byte data is a privilege level rebinding instruction.
3. The method of claim 1, wherein the step S3 includes: the privilege level server acquires a terminal identifier and a common server identifier from the privilege level rebinding instruction, acquires a stored corresponding terminal certificate identifier according to the terminal identifier, acquires a server certificate identifier from a common server certificate corresponding to the common server identifier, sequentially splices the terminal certificate identifier, the server certificate identifier and the privilege level server certificate to generate data to be signed, performs hash operation on the data to be signed to obtain a first hash operation result, encrypts the first hash operation result by using a private key in a privilege level data packet authentication certificate to obtain a first signature value, and sequentially splices the terminal certificate identifier, the server certificate identifier, the privilege level server certificate and the first signature value to generate a privilege level rebinding data packet.
4. The method of claim 1, wherein the terminal in step a1 verifying the first signature value in the privilege-level rebinding packet using the saved privilege-level packet authentication certificate comprises: and the terminal sequentially splices the terminal certificate identification, the server certificate identification and the privileged server certificate in the privileged rebinding data packet to generate a first splicing result, performs hash operation on the first splicing result to obtain a first hash result, decrypts the first signature value in the privileged rebinding data packet by using a public key in the stored privileged data packet authentication certificate to obtain a first decryption result, judges whether the first hash result is consistent with the first decryption result, if so, the verification is successful, and otherwise, the verification fails.
5. The method of claim 1, wherein the terminal in step d1 verifying the privilege level server certificate in the privilege level rebinding packet using the saved privilege level server authentication public key comprises: and the terminal decrypts the signature value in the privilege level server certificate in the privilege level rebinding data packet by using the stored privilege level server authentication public key to obtain a second decryption result, performs hash operation on the data to be signed in the privilege level server certificate in the privilege level rebinding data packet to obtain a second hash result, and judges whether the second decryption result is consistent with the second hash result, if so, the verification is successful, and if not, the verification is failed.
6. The method according to claim 1, wherein the terminal in the step e1 determining whether the privilege level server certificate in the privilege level rebinding packet is valid comprises: and the terminal judges whether the valid date in the privileged server certificate in the privileged rebinding data packet is less than the current date, if so, the privileged server certificate is valid, and otherwise, the privileged server certificate is invalid.
7. The method of claim 1, wherein the step S6 includes: the privilege level server obtains a terminal identification and a common server identification from a privilege level rebinding instruction, obtains a stored corresponding terminal certificate identification according to the terminal identification, obtains a server certificate identification from a common server certificate corresponding to the common server identification, sequentially splices the terminal certificate identification and the server certificate identification to obtain a first spliced value, performs Hash operation on the first spliced value to obtain a second Hash operation result, encrypts the second Hash operation result by using a private key in a privilege level data packet authentication certificate to obtain a second signature value, and sequentially splices the terminal certificate identification, the server certificate identification and the second signature value to obtain a privilege level unbinding data packet.
8. The method according to claim 7, wherein the terminal in the step m1 verifying the second signature value in the privilege-level unbind packet using the saved privilege-level packet authentication certificate comprises: and the terminal sequentially splices the terminal certificate identification and the server certificate identification in the privilege level unbinding data packet to generate a second splicing result, performs Hash operation on the second splicing result to obtain a third Hash result, decrypts a second signature value in the privilege level unbinding data packet by using a public key in a stored privilege level data packet authentication certificate to obtain a third decryption result, judges whether the third Hash result is consistent with the third decryption result, if so, successfully verifies, continues, otherwise, fails to verify, and reports errors.
9. The method of claim 1, wherein between the step S2 and the step S3 further comprising:
step A1: the privilege level server returns a receiving success response to the terminal;
step A2: the terminal generates a random number and sends the random number to the privilege level server;
step A3: the privilege level server receives the random number and discards the random number;
between the step S2 and the step S6, the method further comprises:
step B1: the privilege level server returns a receiving success response to the terminal;
step B2: the terminal generates a random number and sends the random number to the privilege level server;
step B3: the privilege level server receives the random number and discards it.
10. A system for realizing terminal unbinding and rebinding is characterized in that the system comprises a terminal and a privilege level server, wherein a privilege level data packet authentication certificate, a common server certificate and a privilege level server authentication public key are pre-stored in the terminal, and the privilege level server certificate and a plurality of common server certificates are pre-stored in the privilege level server;
the terminal includes: the system comprises a first sending module, a first receiving module, a first verification module, a clearing replacement module, a second verification module and a clearing module;
the privileged server includes: the device comprises a second receiving module, a first judging module, a first generating module, a second sending module and an obtaining and composing module;
the first sending module is used for sending a key management instruction to the privilege level server when the terminal receives the trigger information of the user;
the second receiving module is configured to receive the key management instruction sent by the terminal;
the first determining module is configured to determine a type of the key management instruction received by the second receiving module, trigger the first generating module if the key management instruction is a privilege level re-binding instruction, and trigger the obtaining component module if the key management instruction is a privilege level unbinding instruction;
the first generation module is used for acquiring a corresponding terminal certificate identifier and a common server identifier according to the privilege level rebinding instruction, and generating a privilege level rebinding data packet according to the terminal certificate identifier, a server certificate identifier in a common server certificate corresponding to the common server identifier and a stored privilege level server certificate;
the second sending module is configured to send the privilege level rebinding data packet generated by the first generating module to the terminal;
the first receiving module is configured to receive a privilege level rebinding data packet sent by the privilege level server;
the first verification module is used for verifying the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate and the privilege level server authentication public key, triggering the clearing replacement module if the verification is successful, and reporting an error if the verification is failed;
the clearing and replacing module is used for clearing all the stored keys and replacing the stored common server certificate with the privilege level server certificate in the privilege level rebinding data packet;
the acquisition and composition module is used for acquiring a corresponding terminal certificate identifier and a common server identifier according to the privilege level unbinding instruction, and forming a privilege level unbinding data packet according to the terminal certificate identifier and a server certificate identifier in a common server certificate corresponding to the common server identifier;
the second sending module is further configured to send the privilege level unbinding data packet composed of the obtaining component module to the terminal;
the first receiving module is further used for receiving the privilege level unbinding data packet sent by the privilege level server;
the second verification module is configured to verify the privilege level unbinding data packet received by the first receiving module by using the stored privilege level data packet authentication certificate, trigger the clearing module if the verification is successful, and report an error if the verification is failed;
the clearing module is used for clearing all the stored keys and common server certificates;
the first authentication module includes:
the first verification unit is used for verifying the first signature value in the privilege level rebinding data packet by using the stored privilege level data packet authentication certificate, if the verification is successful, the first verification unit continues, and if the verification is failed, an error is reported;
the first judging unit is used for judging whether the terminal certificate identifier in the privilege level rebinding data packet is matched with the stored terminal certificate identifier, if so, continuing, otherwise, failing to verify, and reporting an error;
a second judging unit, configured to judge whether a server certificate identifier in the privilege-level rebinding data packet matches a server certificate identifier in a stored general server certificate, if so, continue, otherwise, fail to verify, and report an error;
the second verification unit is used for verifying the privilege level and rebinding the privilege level server certificate in the data packet by using the saved privilege level server authentication public key, if the verification is successful, the operation continues, and if the verification is failed, an error is reported;
a third judging unit, configured to judge whether a privilege level server certificate in the privilege level rebinding data packet is valid, if so, continue, otherwise, fail to verify, and report an error;
when the first judging unit, the second judging unit and the third judging unit all judge yes and the first verifying unit and the second verifying unit all verify, the clearing replacement module is triggered, otherwise, an error is reported;
the second authentication module includes:
the third verification unit is used for verifying the second signature value in the privilege level unbinding data packet by using the stored privilege level data packet authentication certificate, continuing if the verification is successful, and reporting an error if the verification is failed;
a fourth judging unit, configured to judge whether the terminal certificate identifier in the privilege level unbinding packet matches the stored terminal certificate identifier, if yes, continue the process, otherwise, fail to verify, and report an error;
a fifth judging unit, configured to judge whether the server certificate identifier in the privilege level unbinding packet matches a server certificate identifier in a stored general server certificate, if so, continuing, otherwise, failing to verify, and reporting an error;
and when the fourth judging unit and the fifth judging unit both judge that the third verifying unit passes the verification, the clearing module is triggered, otherwise, an error is reported.
11. The system according to claim 10, wherein the first determining module is specifically configured to determine preset byte data in the key management instruction, and if the preset byte data is a first value, the first determining module is a privilege level unbinding instruction, and triggers the first generating module, and if the preset byte data is a second value, the first determining module is a privilege level rebinding instruction, and triggers the obtaining component module.
12. The system of claim 10, wherein the first generating module is specifically configured to obtain a terminal identification and a generic server identification from the privilege level rebinding instruction, acquiring a stored corresponding terminal certificate identifier according to the terminal identifier, acquiring a server certificate identifier from a common server certificate corresponding to a common server identifier, sequentially splicing the terminal certificate identifier, the server certificate identifier and the privileged server certificate to generate data to be signed, and carrying out Hash operation on the data to be signed to obtain a first Hash operation result, encrypting the first Hash operation result by using a private key in a privileged level data packet authentication certificate to obtain a first signature value, and sequentially splicing the terminal certificate identification, the server certificate identification, the privileged level server certificate and the first signature value to generate a privileged level rebinding data packet.
13. The system according to claim 10, wherein the first verification unit is specifically configured to splice the terminal certificate identifier, the server certificate identifier, and the privileged server certificate in the privileged rebinding packet in sequence to generate a first splice result, perform a hash operation on the first splice result to obtain a first hash result, decrypt a first signature value in the privileged rebinding packet using a public key in the stored privileged packet authentication certificate to obtain a first decryption result, determine whether the first hash result is consistent with the first decryption result, if yes, verify successfully, continue, otherwise, verify unsuccessfully, and report an error.
14. The system according to claim 10, wherein the second verifying unit is specifically configured to decrypt, using the saved privilege level server authentication public key, the signature value in the privilege level server certificate in the privilege level rebinding data packet to obtain a second decryption result, perform hash operation on data to be signed in the privilege level server certificate in the privilege level rebinding data packet to obtain a second hash result, determine whether the second decryption result is consistent with the second hash result, if yes, verify successfully, continue, otherwise, fail to verify, and report an error.
15. The system according to claim 10, wherein the third determining unit is specifically configured to determine whether the valid date in the privileged server certificate in the privileged rebinding packet is less than the current date, if so, the privileged server certificate is valid and continues, otherwise, the privileged server certificate is invalid and reports an error.
16. The system according to claim 10, wherein the obtaining component module is specifically configured to obtain a terminal identifier and a general server identifier from a privilege level rebinding instruction, obtain a stored corresponding terminal certificate identifier according to the terminal identifier, obtain a server certificate identifier from a general server certificate corresponding to the general server identifier, sequentially concatenate the terminal certificate identifier and the server certificate identifier to obtain a first concatenation value, perform a hash operation on the first concatenation value to obtain a second hash operation result, encrypt the second hash operation result using a private key in a privilege level packet authentication certificate to obtain a second signature value, and sequentially concatenate the terminal certificate identifier, the server certificate identifier, and the second signature value to obtain a privilege level unbinding packet.
17. The system according to claim 16, wherein the third verification unit is specifically configured to sequentially concatenate the terminal certificate identifier and the server certificate identifier in the privilege level unbind data packet to generate a second concatenation result, perform hash operation on the second concatenation result to obtain a third hash result, decrypt the second signature value in the privilege level unbind data packet using a public key in the stored privilege level data packet authentication certificate to obtain a third decryption result, determine whether the third hash result is consistent with the third decryption result, if yes, verify successfully, continue, otherwise, verify unsuccessfully, and report an error.
18. The system of claim 10, wherein the terminal further comprises: a second generation module;
the second sending module is further configured to return a receiving success response to the terminal when the first determining module determines that the privilege level re-binding instruction or the privilege level unbinding instruction is received;
the first receiving module is further used for receiving a receiving success response sent by the privilege level server;
the second generating module is configured to generate a random number when the first receiving module receives a successful receiving response;
the first sending module is further configured to send the random number generated by the second generating module to the privilege-level server;
the second receiving module is further configured to receive the random number sent by the terminal and discard the random number, and trigger the first generating module or the obtaining component module.
CN202010638428.4A 2020-07-06 2020-07-06 Method and system for realizing terminal unbinding and rebinding Active CN111526025B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010638428.4A CN111526025B (en) 2020-07-06 2020-07-06 Method and system for realizing terminal unbinding and rebinding

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010638428.4A CN111526025B (en) 2020-07-06 2020-07-06 Method and system for realizing terminal unbinding and rebinding

Publications (2)

Publication Number Publication Date
CN111526025A CN111526025A (en) 2020-08-11
CN111526025B true CN111526025B (en) 2020-10-13

Family

ID=71911937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010638428.4A Active CN111526025B (en) 2020-07-06 2020-07-06 Method and system for realizing terminal unbinding and rebinding

Country Status (1)

Country Link
CN (1) CN111526025B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997876A (en) * 2010-11-05 2011-03-30 重庆大学 Attribute-based access control model and cross domain access method thereof

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3724564B2 (en) * 2001-05-30 2005-12-07 日本電気株式会社 Authentication system, authentication method, and authentication program
CN102083065B (en) * 2011-02-14 2013-11-13 宇龙计算机通信科技(深圳)有限公司 Method and device for managing certificates
US10142323B2 (en) * 2016-04-11 2018-11-27 Huawei Technologies Co., Ltd. Activation of mobile devices in enterprise mobile management
CN106656488B (en) * 2016-12-07 2020-04-03 百富计算机技术(深圳)有限公司 Key downloading method and device for POS terminal

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997876A (en) * 2010-11-05 2011-03-30 重庆大学 Attribute-based access control model and cross domain access method thereof

Also Published As

Publication number Publication date
CN111526025A (en) 2020-08-11

Similar Documents

Publication Publication Date Title
CN101626374B (en) Method, system and equipment for negotiating security association (SA) in internet protocol version 6 (IPv6) network
CN107786550B (en) A kind of safety communicating method of self-service device, safe communication system and self-service device
van Oorschot Extending cryptographic logics of belief to key agreement protocols
US6145079A (en) Secure electronic transactions using a trusted intermediary to perform electronic services
US6161181A (en) Secure electronic transactions using a trusted intermediary
US6199052B1 (en) Secure electronic transactions using a trusted intermediary with archive and verification request services
CA2816996C (en) Portable security transaction protocol
CN103067401B (en) Method and system for key protection
CN109067801A (en) A kind of identity identifying method, identification authentication system and computer-readable medium
US20010037453A1 (en) Secure electronic transactions using a trusted intermediary with non-repudiation of receipt and contents of message
CN104618120A (en) Digital signature method for escrowing private key of mobile terminal
JPWO2010150813A1 (en) Encryption key distribution system
CA2555322C (en) One way authentication
CN105245341A (en) Remote identity authentication method and system and remote account opening method and system
CN102036242A (en) Access authentication method and system in mobile communication network
CN111030814A (en) Key negotiation method and device
CN107508672A (en) A kind of cipher key synchronization method and key synchronization device based on pool of symmetric keys, key synchronization system
JP2016012912A (en) Transmission node, reception node, communication network system, message creation method, and computer program
CN114710298A (en) Method, device, equipment and medium for batch signature of documents based on chameleon Hash
CN113128999A (en) Block chain privacy protection method and device
CN111526025B (en) Method and system for realizing terminal unbinding and rebinding
CN103685181A (en) Key negotiation method based on SRTP
CN111654378B (en) Data security self-checking method based on electric power security gateway
CN110610360B (en) Hardware wallet binding authorization method and device
CN115333732A (en) Anti-cloning structure and method for Internet of things equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant