CN111901304A - Registration method and device of mobile security equipment, storage medium and electronic device - Google Patents

Registration method and device of mobile security equipment, storage medium and electronic device Download PDF

Info

Publication number
CN111901304A
CN111901304A CN202010600264.6A CN202010600264A CN111901304A CN 111901304 A CN111901304 A CN 111901304A CN 202010600264 A CN202010600264 A CN 202010600264A CN 111901304 A CN111901304 A CN 111901304A
Authority
CN
China
Prior art keywords
mobile security
security device
management center
terminal
management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010600264.6A
Other languages
Chinese (zh)
Other versions
CN111901304B (en
Inventor
孙瑜
夏攀
陈旭
冯克
李琨
候永谦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Original Assignee
BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD filed Critical BEIJING KEXIN HUATAI INFORMATION TECHNOLOGY CO LTD
Priority to CN202010600264.6A priority Critical patent/CN111901304B/en
Publication of CN111901304A publication Critical patent/CN111901304A/en
Application granted granted Critical
Publication of CN111901304B publication Critical patent/CN111901304B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0246Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/143Termination or inactivation of sessions, e.g. event-controlled end of session
    • H04L67/145Termination or inactivation of sessions, e.g. event-controlled end of session avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a registration method and device of mobile security equipment, a storage medium and an electronic device. Wherein, the method comprises the following steps: under the condition that a first mobile security device is accessed to a first terminal, starting a management terminal program on the first terminal, wherein the management terminal program is used for communicating with a management center under the condition that the first mobile security device is accessed to the first terminal, and the first mobile security device is used for managing the mobile security device to be registered; under the condition that the first terminal detects that the second mobile security device is accessed, acquiring a registration request of the second mobile security device through a management terminal program; and registering the second mobile security device in the management center through the management terminal program. The method and the device solve the technical problem that potential safety hazards exist in the terminal in the related technology.

Description

Registration method and device of mobile security equipment, storage medium and electronic device
Technical Field
The application relates to the field of trusted computing, in particular to a registration method and device of a mobile security device, a storage medium and an electronic device.
Background
Trusted computing is an emerging field of information security based on hardware structure security for the purpose of improving computer security. Trust is the core concept of trusted computing, and the definition of trust in the trusted computing standard is: an entity is trusted if its behavior always proceeds in the expected manner and goal. In trusted computing, all the judgments on whether an entity is trusted depend on a trusted chip-a trusted platform control module, which is embedded on a mainboard.
A Trusted Platform Control Module (TPCM) is a core component of a Trusted computing Platform, is a chip embedded on a motherboard, communicates with the motherboard by using a bus, and has a separate microprocessor and a cryptography operation engine, and main components include input/output, a cryptographic coprocessor, key generation, an HMAC engine, a random number generator, an SHA-1 engine, a power supply detection, a switch, an execution engine, nonvolatile storage, volatile storage, and the like. The design idea of trusted computing is that a trusted platform control module is used as an unconditional trust root. The computer starts from the trust root, and gradually expands the trust boundary from the trust root to the BIOS, then to the operating system and finally to the application program through three steps of measurement verification, trust transfer and CPU control right transfer.
For a trusted device, data transmission between the device and other devices is often required for convenience of use, and although the device itself is secure and trusted, the security of other devices is not guaranteed, so that a security problem may occur after a computer system is in communication connection with other devices.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a registration method and device of mobile security equipment, a storage medium and an electronic device, so as to at least solve the technical problem that potential safety hazards exist in a terminal in the related art.
According to an aspect of an embodiment of the present application, there is provided a registration method of a mobile security device, including: under the condition that a first mobile security device is accessed to a first terminal, starting a management terminal program on the first terminal, wherein the management terminal program is used for communicating with a management center under the condition that the first mobile security device is accessed to the first terminal, and the first mobile security device is used for managing the mobile security device to be registered; under the condition that the first terminal detects that the second mobile security device is accessed, acquiring a registration request of the second mobile security device through a management terminal program; and registering the second mobile security device in the management center through the management terminal program.
According to another aspect of the embodiments of the present application, there is also provided a registration apparatus for a mobile security device, including: the mobile security system comprises a starting unit, a management terminal program and a registration unit, wherein the starting unit is used for starting the management terminal program on a first terminal under the condition that the first mobile security device is accessed on the first terminal, the management terminal program is used for communicating with a management center under the condition that the first mobile security device is accessed on the first terminal, and the first mobile security device is used for managing the mobile security device to be registered; the mobile security equipment comprises an acquisition unit, a registration unit and a registration unit, wherein the acquisition unit is used for acquiring a registration request of the second mobile security equipment through a management terminal program under the condition that the first terminal detects that the second mobile security equipment is accessed; and the registration unit is used for registering the second mobile security equipment in the management center through the management terminal program.
According to another aspect of the embodiments of the present application, there is also provided a storage medium including a stored program which, when executed, performs the above-described method.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the above method through the computer program.
In the embodiment of the application, the management terminal program is started under the condition that the credible first mobile security device is inserted into the first terminal, so that the second mobile security device is registered and authenticated through the management terminal program under the condition that the access of the second mobile security device is detected on the first terminal, the technical problem that potential safety hazards exist in the terminal in the related technology can be solved, and the technical effect of improving the security of the terminal is achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic diagram of a hardware environment of a registration method of a mobile security device according to an embodiment of the present application;
fig. 2 is a flowchart of an alternative registration method of a mobile security device according to an embodiment of the present application;
fig. 3 is a schematic diagram of an alternative registration method of a mobile security device according to an embodiment of the present application;
fig. 4 is a flowchart of an alternative registration method of a mobile security device according to an embodiment of the present application;
fig. 5 is a flowchart of an alternative registration method of a mobile security device according to an embodiment of the present application;
fig. 6 is a flowchart of an alternative method for registering a mobile security device according to an embodiment of the present application;
fig. 7 is a flowchart of an alternative method for registering a mobile security device according to an embodiment of the present application;
fig. 8 is a flowchart of an alternative method for registering a mobile security device according to an embodiment of the present application;
fig. 9 is a flowchart of an alternative method for registering a mobile security device according to an embodiment of the present application;
fig. 10 is a schematic diagram of an alternative registration apparatus of a mobile security device according to an embodiment of the present application; and the number of the first and second groups,
fig. 11 is a block diagram of a terminal according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an aspect of the embodiments of the present application, a method embodiment of a registration method of a mobile security device is provided. Optionally, in this embodiment, the registration method of the mobile security device may be applied to a hardware environment formed by the set of trusted terminals 101 and the trusted management center 103 (which may be composed of one or more trusted servers) as shown in fig. 1. As shown in fig. 1, the trusted management center 103 is connected to the set of trusted terminals 101 through a network, which may be used to manage each trusted terminal, and the network includes but is not limited to: the trusted terminal set 101 is not limited to a set of terminals such as a PC, a mobile phone, and a tablet computer.
The management center needs to be initialized, and no user or administrator is needed when the system is initialized. At this time, the certificate of the super administrator can be copied to the specified directory of the security management center, and after the relevant configuration is completed, the super administrator can log in the management center through the WEB page to add other administrators.
The registration method of the mobile security device in the embodiment of the present application may be executed by the terminal, or may be executed by both the server 103 and the terminal. The terminal executing the registration method of the mobile security device according to the embodiment of the present application may also be executed by a client installed thereon. Fig. 2 is a flowchart of an alternative registration method for a mobile security device according to an embodiment of the present application, and as shown in fig. 2, the method may include the following steps:
step S202, under the condition that the first mobile security device is accessed to the first terminal, a management terminal program is started on the first terminal, the management terminal program is used for communicating with a management center under the condition that the first mobile security device is accessed to the first terminal, and the first mobile security device is used for managing the mobile security device to be registered.
The terminal (such as the first terminal, the second terminal, and the like) is a terminal in the trusted terminal set, the mobile security device (such as the first mobile security device, the second mobile security device, and the like) is a device that can access the first terminal by using an expansion interface provided by the first terminal, the expansion interface may be a USB interface, a Type C interface, a PCIE interface, a SATA interface, a mSATA interface, a serial port, and the like, and the following description will use the USB interface as an example.
Step S204, under the condition that the first terminal detects that the second mobile security device is accessed, a registration request of the second mobile security device is obtained through the management terminal program.
The first mobile security device is an authenticated or trusted security device, the second mobile security device is an unauthenticated security device, and the first mobile security device and the second mobile security device are devices with descending priorities, taking the mobile device as a USB device as an example, if the first mobile security device is a super ukey, the second mobile security device is an administrator ukey, and if the first mobile security device is an administrator ukey, the second mobile security device is a normal ukey.
And step S206, registering the second mobile security device in the management center through the management terminal program.
Through the steps, the management terminal program is started under the condition that the credible first mobile safety equipment is inserted into the first terminal, so that the second mobile safety equipment is registered and authenticated through the management terminal program under the condition that the first terminal detects that the second mobile safety equipment is accessed, the technical problem that potential safety hazards exist in the terminal in the related technology can be solved, and the technical effect of improving the safety of the terminal is achieved.
In an alternative embodiment, registering the second mobile security device with the management center via the management terminal program comprises remote registration as follows: sending Ukey information of the second mobile safety equipment to a management center, wherein the registration request carries the Ukey information; and under the condition of receiving a registration approval message returned by the management center, writing role information configured for the second mobile security device into the second mobile security device, wherein the role information configured for the second mobile security device is used for indicating the role of the second mobile security device in the management center, the registration approval message is triggered by a third mobile security device, and the third mobile security device is accessed to the second terminal.
In another alternative embodiment, registering the second mobile security device with the management center via the management terminal program includes a native registration as follows: sending Ukey information of the second mobile safety equipment to a management center, wherein the registration request carries the Ukey information; and under the condition of receiving a registration approval message returned by the management center, writing role information configured for the second mobile security device into the second mobile security device, wherein the role information configured for the second mobile security device is used for indicating the role of the second mobile security device in the management center, the registration approval message is triggered by a third mobile security device, and the third mobile security device is accessed to the second terminal.
In the above scheme, the generation flow of the Ukey information is as shown in fig. 3, and a public and private key pair is generated by using a cryptographic tool; using a company root CA to finish signing the generated public key and generating a certificate; writing the generated certificate into Key by using a generation tool; recording the generated public and private keys, certificates, Ukey Ids and other information; the root certificate is then imported. The information stored in the terminal includes a root certificate (i.e., a self-signed certificate of a company), the information stored in the Ukey is shown in table 1, and the user role information file definition is shown in table 2.
TABLE 1
Figure BDA0002558369350000061
TABLE 2
Figure BDA0002558369350000062
Figure BDA0002558369350000071
The super-administrator key is generated as follows: writing a hypervisor Key identifier; generating a public and private key pair of a super administrator by using a company secret key generation tool; using a company signature tool to sign a public key of a super administrator; writing the certificate of the super administrator into a hardware Key by using a Key configuration tool; importing a root certificate into a hardware Key by using a Key configuration tool; initializing a PIN code; backup of the super administrator certificate.
The generation mode of the administrator Key is as follows: writing an administrator Key identification; generating a public and private key pair of an administrator by using a company secret key generation tool; using a company signature tool to sign a public key of an administrator; using a Key configuration tool to import the administrator certificate into a hardware Key; initializing a PIN code; backup administrator certificates.
The generation mode of the common user Key is similar to that of the administrator Key.
In the Ukey (mobile security device) registration process, the administrator Ukey is similar to the common user Ukey registration process, and the difference is that the registration of the administrator Ukey needs to be approved by a super administrator Ukey, and the registration of the common user needs to be approved by a system administrator Ukey. The Ukey is initialized when leaving the factory, and the Ukey stores a private key, a Ukey certificate (the private key corresponds to a public key) and a root certificate of a company. A super Ukey company has one, and besides a private key, a Ukey certificate and a company root certificate, a file for recording role information is stored. The registration process is shown in fig. 4:
step S401, insert a Ukey (i.e. a first mobile security device), which may be a hypervisor Ukey or a system administrator Ukey.
Step S402, the management terminal is opened.
In step S403, a new Ukey (i.e. a second mobile security device) is inserted, i.e. a new Ukey that needs to be registered.
In step S404, "registration administrator Ukey" (may be "normal Ukey", and the flow is similar thereto) is selected.
Step S405, it is determined whether the user applies for local registration or remote registration.
Step S406, if the remote registration is performed, fill in the Ukey information of the registered administrator, such as the Ukey PIN code and the administrator role included in the information.
Step S407, notify the management center, wait for the management center to reply. At this time, the supervisor Ukey logs in the management center at another terminal and carries out approval.
In step S408, registration is completed.
Step S409, the role information is stored in the Ukey.
Step S410, determining whether a supervisor Ukey has been inserted, if yes, performing step S413, otherwise, performing step S411.
And step S411, if not, prompting to insert a Ukey of the super administrator. And if the Ukey of the super administrator is not inserted currently, prompting.
Step S412, the supervisor Ukey PIN code is input.
In step S413, if the verification is passed, the Ukey information of the registered administrator, such as the Ukey PIN code and the administrator role, is filled in.
And step S414, informing the management center, and after the super administrator Ukey and the management center perform mutual authentication, the management center checks the submitted information.
Step S415, after the registration is completed, the management center checks the information (the management center has its own policy for the Ukey management), feeds back the terminal, and can perform the registration.
And S416, storing the role information into the Ukey, and performing subsequent configuration through a configuration interface after the registration is finished.
In the above embodiment, after registering the second mobile security device in the management center through the management terminal program, the local login may be performed as follows: reporting the authentication state of the second mobile security equipment to a management center, wherein the authentication state is used for indicating that the second mobile security equipment is not authenticated; receiving an authentication scheme returned by the management center; sending the first authentication information of the second mobile security device and the device address of the first terminal to a management center; acquiring a first authentication result returned by the management center, or determining a second authentication result by using an authentication scheme under the condition that the first authentication result returned by the management center is not received; and determining whether to allow the first terminal to log in by using the first authentication result or the second authentication result. The specific implementation flow is as shown in fig. 5, and may pop up an authentication window in Pam (pluggable authentication module in linux) on a graphical interface, and prompt to input a PIN on a character interface:
in step S501, a Key (i.e., Ukey) is inserted into the interface.
Step S502, the Agent reports Key state (unauthenticated state) to the management center.
In step S503, the agent requests a policy (i.e., an authentication scheme) associated with the agent.
Step S504, the management center sends a Key policy allowing the login of the local computer.
Step S505, the agent and the management center keep heartbeat.
In step S506, the user inputs an account, a password, and Pin.
And step S507, the PAM sends the ID of the Key to the Agent.
Step S508, the Key ID (i.e., the first authentication information) and the local IP (i.e., the device address) are sent to the management center for verification.
In step S509, the agent uses the local policy when the communication with the management center is abnormal.
Step S510, if the communication between the agent and the management center is normal, the result is returned, and the key state is refreshed.
In step S511, the agent returns the verification result to the PAM.
Step S512, whether login is allowed or not is determined according to the verification result.
In the above embodiment, after registering the second mobile security device in the management center through the management terminal program, the remote active login may be performed as follows: acquiring first authentication information and a target address of second mobile security equipment; under the condition that the first authentication information of the second mobile security equipment is used for determining that the second mobile security equipment passes the authentication of the management center, sending a login credential to a target address; under the condition that the login certificate sent to the target address passes the verification, the agent end of the target address sends the equipment information of the equipment accessing the target address to the management center; and allowing the first terminal to log in at the target address under the condition that the management center verifies that the equipment information is matched with the second mobile security equipment.
The active authentication mode is that before remote connection, a remote management interface can be manually popped up, IP to be logged in is input, and key to be authenticated is selected. After the authentication is passed, the original account password can be input by using a remote tool such as xshell/mstsc and the like to connect. The specific flow is shown in fig. 6:
in step S601, the initiator inputs the connection ip (i.e., the destination address) and the pin verification (i.e., the first authentication information) by using a verification tool.
And step S602, locally verifying the validity of the key, and sending the ip key information to the management center.
Step S603, verify whether the key allows to log in the ip address, and create a record to return to the Agent.
In step S604, the initiating end uses Xshell to connect with the opposite end to input an account and a password (i.e., a login credential).
In step S605, the PAM notifies the destination Agent of the remote IP (i.e., device information).
And step S606, the destination Agent sends the remote IP to the management center.
In step S607, the management center verifies the validity of the IP and the KeyID (e.g., whether the IP is the destination IP, and whether the KeyID is the KeyID in the record), and returns the result to the destination Agent.
In step S608, the destination Agent returns the result to the destination PAM.
In step S609, the PAM determines whether the ssh connection is allowed to succeed according to the result.
In the above embodiment, after registering the second mobile security device in the management center through the management terminal program, the remote passive login may be performed as follows: under the condition that the login certificate sent to the target address passes the verification, the agent end of the target address sends the equipment information of the equipment accessing the target address to the management center; under the condition that the management center verifies that the equipment information is matched with the second mobile safety equipment, the management center authenticates the second mobile safety equipment by utilizing first authentication information of the second mobile safety equipment; the management center feeds back the authentication result to the agent end of the target address; and the proxy end of the target address determines whether to allow the first terminal to log in the target address according to the received authentication result.
The passive authentication is that a user can directly use an xshell or mstsc tool and other tools to connect a remote machine without authenticating in a remote management interface, and a local machine pops up the remote management interface for authentication in the connection process. As shown in fig. 7:
step S701, the initiating end inputs an account and a password (i.e., a login credential) by using Xshell, and sends the account and the password to the destination PAM.
In step S702, the PAM notifies the destination Agent of the remote IP (i.e., device information).
And step S703, the destination Agent sends the remote IP to the management center.
Step S704, the management center establishes a record, and notifies the source Agent (i.e. the originating Agent) to verify the local key, the ID of the record, and the IP to be logged in.
Step S705, the initiating Agent pops up a verification box to verify the Pin of the local Key.
And step S706, acquiring the KeyID after the Key verification is passed.
In step S707, an error is returned if the Key verification fails.
Step S708, the verification result is sent to a management center, if the verification is passed, the ID and the key serial number are recorded, and if the verification is failed, the error code is recorded.
And step S709, verifying whether the key allows login, and sending the verification result to the destination Agent.
And step S710, returning the result and sending the result to the PAM.
Step S711 determines whether ssh is permitted to be registered according to the verification result.
In the above embodiment, after registering the second mobile security device in the management center through the management terminal program, the active authentication mode may be adopted to log in at the management center: sending first authentication information of the second mobile security device to a management center; under the condition of receiving a message which is returned by the management center and allows login, inputting second authentication information of the first terminal through a management terminal program of the management center; and the management center determines whether to allow the first terminal to log in according to the second authentication information received in the management terminal program and the pre-stored identity authentication information. As shown in fig. 8:
step S801, click remote management of the management terminal program, select a login management center, select a key to be authenticated, and input a pin code (i.e., first authentication information).
And step S802, the Agent verifies the Key and sends the Key information to the management center.
Step S803, the management center verifies in its identity authentication module whether the Key is allowed to log in the management center, and if so, establishes a record including information such as ID, Key, IP, and the like.
And step S804, returning the verification result to the Agent.
In step S805, the account password (i.e., the second authentication information) is input on the Web interface.
Step S806, the management center Web interface acquires the account password, logs in the IP, and matches whether a corresponding record is established in step S803.
In step S807, the management center returns the login result.
In the above embodiment, after registering the second mobile security device in the management center through the management terminal program, the second mobile security device may log in at the management center in the passive authentication mode: under the condition that the management center determines that the verification record of the second mobile safety equipment does not exist according to the second authentication information received by the management terminal program and the pre-stored identity authentication information, acquiring first authentication information of the second mobile safety equipment at the management terminal program; the management center determines whether to allow the first terminal to log in according to the first authentication information received in the program of the management terminal. Fig. 9 shows a specific flow of the passive authentication method of the Web login management center:
in step S901, an account password (i.e., second authentication information) is input at the management center.
Step S902, the management center detects that a corresponding verification record is not created.
And step S903, informing the Agent to pop up a verification interface.
And step S904, the Agent pops up a Key login management interface.
In step S905, the relevant information is input on the management interface.
Step S906, verifying the Key, and sending the information related to the Key (i.e., the second authentication information) to the management center.
In step S907, the acquired Key information is verified to determine whether to allow login to the management center.
Step S908, returns the login result to the Web management center.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present application.
According to another aspect of the embodiment of the present application, there is also provided a registration apparatus for a mobile security device, which is used for implementing the registration method for a mobile security device. Fig. 10 is a schematic diagram of an alternative registration apparatus for a mobile security device according to an embodiment of the present application, and as shown in fig. 10, the apparatus may include:
a starting unit 1001, configured to start a management terminal program on a first terminal when the first mobile security device is accessed to the first terminal, where the management terminal program is configured to communicate with a management center when the first mobile security device is accessed to the first terminal, and the first mobile security device is configured to manage a mobile security device to be registered;
an obtaining unit 1003, configured to, when detecting that a second mobile security device is accessed on the first terminal, obtain, through the management terminal program, a registration request of the second mobile security device;
a registering unit 1005, configured to register the second mobile security device in the management center through the management terminal program.
It should be noted that the starting unit 1001 in this embodiment may be configured to execute step S202 in this embodiment, the obtaining unit 1003 in this embodiment may be configured to execute step S204 in this embodiment, and the registering unit 1005 in this embodiment may be configured to execute step S206 in this embodiment.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may operate in a hardware environment as shown in fig. 1, and may be implemented by software or hardware.
Through the module, under the condition that a credible first mobile safety device is inserted into the first terminal, the management terminal program is started, so that under the condition that the first terminal detects that a second mobile safety device is accessed, the second mobile safety device is registered and authenticated through the management terminal program, the technical problem that potential safety hazards exist in the terminal in the related technology can be solved, and the technical effect of improving the safety of the terminal is achieved.
Optionally, the registration unit may be further configured to: sending Ukey information of the second mobile safety equipment to the management center, wherein the registration request carries the Ukey information; and writing role information configured for the second mobile security device into the second mobile security device under the condition of receiving a registration approval message returned by the management center, wherein the role information configured for the second mobile security device is used for indicating the role of the second mobile security device in the management center, the registration approval message is triggered by a third mobile security device, and the third mobile security device is accessed to a second terminal.
Optionally, the registration unit may be further configured to: under the condition that a message of agreeing to register of the first mobile safety equipment is received, Ukey information of the second mobile safety equipment is obtained, wherein the registration request carries the Ukey information; sending Ukey information of the second mobile safety equipment to the management center; and under the condition of receiving a message of completing registration returned by the management center, writing role information configured for the second mobile security device into the second mobile security device, wherein the role information configured for the second mobile security device is used for representing the role of the second mobile security device in the management center.
Optionally, the registration unit may be further configured to: after registering the second mobile security device in the management center through the management terminal program, reporting an authentication state of the second mobile security device to the management center, wherein the authentication state is used for indicating that the second mobile security device is not authenticated; receiving an authentication scheme returned by the management center; sending the first authentication information of the second mobile security device and the device address of the first terminal to the management center; acquiring a first authentication result returned by the management center, or determining a second authentication result by using the authentication scheme under the condition that the first authentication result returned by the management center is not received; and determining whether to allow the first terminal to log in by using the first authentication result or the second authentication result.
Optionally, the registration unit may be further configured to: after the second mobile security device is registered in the management center through the management terminal program, acquiring first authentication information and a target address of the second mobile security device; under the condition that the second mobile security device is determined to pass the authentication of the management center by utilizing the first authentication information of the second mobile security device, sending a login credential to the target address; under the condition that the login credential sent to the target address passes the verification, the agent end of the target address sends the equipment information of the equipment accessing the target address to the management center; and allowing the first terminal to log in at the target address under the condition that the management center verifies that the equipment information is matched with the second mobile security equipment.
Optionally, the registration unit may be further configured to: after the second mobile security device is registered in the management center through the management terminal program, under the condition that the login certificate sent to a target address is verified, the agent terminal of the target address sends the device information of the device accessing the target address to the management center; when the management center verifies that the device information is matched with the second mobile security device, the management center authenticates the second mobile security device by using first authentication information of the second mobile security device; the management center feeds back an authentication result to the agent end of the target address; and the proxy end of the target address determines whether to allow the first terminal to log in the target address according to the received authentication result.
Optionally, the registration unit may be further configured to: after registering the second mobile security device in the management center through the management terminal program, sending first authentication information of the second mobile security device to the management center; under the condition of receiving a message which is returned by the management center and allows login, inputting second authentication information of the first terminal through a management terminal program of the management center; the management center determines whether the first terminal is allowed to log in according to second authentication information received by the management terminal program and prestored identity authentication information; or, under the condition that the management center determines that the verification record of the second mobile security device does not exist according to the second authentication information received by the management terminal program and the pre-stored identity authentication information, acquiring the first authentication information of the second mobile security device at the management terminal program; and the management center determines whether to allow the first terminal to log in according to the first authentication information received by the management terminal program.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 1, and may be implemented by software, or may be implemented by hardware, where the hardware environment includes a network environment.
According to another aspect of the embodiment of the present application, there is also provided a server or a terminal for implementing the registration method of the mobile security device.
Fig. 11 is a block diagram of a terminal according to an embodiment of the present application, and as shown in fig. 11, the terminal may include: one or more processors 1101 (only one shown in fig. 11), a memory 1103, and a transmitting means 1105, as shown in fig. 11, the terminal may further include an input-output device 1107.
The memory 1103 may be configured to store software programs and modules, such as program instructions/modules corresponding to the registration method and apparatus of the mobile security device in the embodiment of the present application, and the processor 1101 executes various functional applications and data processing by running the software programs and modules stored in the memory 1103, that is, implements the registration method of the mobile security device. The memory 1103 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 1103 can further include memory located remotely from the processor 1101, which can be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmitting device 1105 is used for receiving or sending data via a network, and can also be used for data transmission between the processor and the memory. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 1105 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmitting device 1105 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The memory 1103 is used for storing, among other things, application programs.
The processor 1101 may call an application stored in the memory 1103 through the transmission device 1105 to perform the following steps:
under the condition that a first mobile security device is accessed to a first terminal, starting a management terminal program on the first terminal, wherein the management terminal program is used for communicating with a management center under the condition that the first mobile security device is accessed to the first terminal, and the first mobile security device is used for managing the mobile security device to be registered;
under the condition that the first terminal detects that a second mobile security device is accessed, acquiring a registration request of the second mobile security device through the management terminal program;
and registering the second mobile security device in the management center through the management terminal program.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
It can be understood by those skilled in the art that the structure shown in fig. 11 is only an illustration, and the terminal may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, and a Mobile Internet Device (MID), a PAD, etc. Fig. 11 is a diagram illustrating a structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 11, or have a different configuration than shown in FIG. 11.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Embodiments of the present application also provide a storage medium. Alternatively, in this embodiment, the storage medium may be a program code for executing a registration method of a mobile security device.
Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
under the condition that a first mobile security device is accessed to a first terminal, starting a management terminal program on the first terminal, wherein the management terminal program is used for communicating with a management center under the condition that the first mobile security device is accessed to the first terminal, and the first mobile security device is used for managing the mobile security device to be registered;
under the condition that the first terminal detects that a second mobile security device is accessed, acquiring a registration request of the second mobile security device through the management terminal program;
and registering the second mobile security device in the management center through the management terminal program.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including instructions for causing one or more computer devices (which may be personal computers, servers, network devices, or the like) to execute all or part of the steps of the method described in the embodiments of the present application.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (10)

1. A method for registering a mobile security device, comprising:
under the condition that a first mobile security device is accessed to a first terminal, starting a management terminal program on the first terminal, wherein the management terminal program is used for communicating with a management center under the condition that the first mobile security device is accessed to the first terminal, and the first mobile security device is used for managing the mobile security device to be registered;
under the condition that the first terminal detects that a second mobile security device is accessed, acquiring a registration request of the second mobile security device through the management terminal program;
and registering the second mobile security device in the management center through the management terminal program.
2. The method of claim 1, wherein registering the second mobile security device with the management center via the management terminal program comprises:
sending Ukey information of the second mobile safety equipment to the management center, wherein the registration request carries the Ukey information;
and writing role information configured for the second mobile security device into the second mobile security device under the condition of receiving a registration approval message returned by the management center, wherein the role information configured for the second mobile security device is used for representing the role of the second mobile security device in the management center, the registration approval message is triggered by a third mobile security device, the third mobile security device is accessed to a second terminal, and the third mobile security device is used for managing the mobile security devices to be registered.
3. The method of claim 1, wherein registering the second mobile security device with the management center via the management terminal program comprises:
under the condition that a message of agreeing to register of the first mobile safety equipment is received, Ukey information of the second mobile safety equipment is obtained, wherein the registration request carries the Ukey information;
sending Ukey information of the second mobile safety equipment to the management center;
and writing the role information configured for the second mobile security device into the second mobile security device when a message of completing registration returned by the management center is received, wherein the role information configured for the second mobile security device is used for representing the role of the second mobile security device in the management center.
4. The method according to any one of claims 1 to 3, wherein after registering the second mobile security device with the management center by the management terminal program, the method further comprises:
reporting an authentication state of the second mobile security device to the management center, wherein the authentication state is used for indicating that the second mobile security device is not authenticated;
receiving an authentication scheme returned by the management center;
sending the first authentication information of the second mobile security device and the device address of the first terminal to the management center;
acquiring a first authentication result returned by the management center, or determining a second authentication result by using the authentication scheme under the condition that the first authentication result returned by the management center is not received;
and determining whether to allow the first terminal to log in by using the first authentication result or the second authentication result.
5. The method according to any one of claims 1 to 3, wherein after registering the second mobile security device with the management center by the management terminal program, the method further comprises:
acquiring first authentication information and a target address of the second mobile security device;
under the condition that the second mobile security device is determined to pass the authentication of the management center by utilizing the first authentication information of the second mobile security device, sending a login credential to the target address;
under the condition that the login credential sent to the target address passes the verification, the agent end of the target address sends the equipment information of the equipment accessing the target address to the management center;
and allowing the first terminal to log in at the target address under the condition that the management center verifies that the equipment information is matched with the second mobile security equipment.
6. The method according to any one of claims 1 to 3, wherein after registering the second mobile security device with the management center by the management terminal program, the method further comprises:
under the condition that the login credential sent to the target address passes the verification, the agent end of the target address sends the equipment information of the equipment accessing the target address to the management center;
when the management center verifies that the device information is matched with the second mobile security device, the management center authenticates the second mobile security device by using first authentication information of the second mobile security device;
the management center feeds back an authentication result to the agent end of the target address;
and the proxy end of the target address determines whether to allow the first terminal to log in the target address according to the received authentication result.
7. The method according to any one of claims 1 to 3, wherein after registering the second mobile security device with the management center by the management terminal program, the method further comprises:
sending first authentication information of the second mobile security device to the management center; under the condition of receiving a message which is returned by the management center and allows login, inputting second authentication information of the first terminal through a management terminal program of the management center; the management center determines whether the first terminal is allowed to log in according to second authentication information received by the management terminal program and prestored identity authentication information; alternatively, the first and second electrodes may be,
under the condition that the management center determines that the verification record of the second mobile safety equipment does not exist according to the second authentication information received by the management terminal program and the pre-stored identity authentication information, acquiring first authentication information of the second mobile safety equipment at the management terminal program; and the management center determines whether to allow the first terminal to log in according to the first authentication information received by the management terminal program.
8. An apparatus for registering a mobile security device, comprising:
the mobile security system comprises a starting unit, a management terminal program and a registration unit, wherein the starting unit is used for starting the management terminal program on a first terminal under the condition that the first mobile security device is accessed on the first terminal, the management terminal program is used for communicating with a management center under the condition that the first mobile security device is accessed on the first terminal, and the first mobile security device is used for managing the mobile security device to be registered;
an obtaining unit, configured to obtain, by the management terminal program, a registration request of a second mobile security device when access to the second mobile security device is detected on the first terminal;
and the registration unit is used for registering the second mobile security equipment in the management center through the management terminal program.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program when executed performs the method of any of the preceding claims 1 to 7.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the method of any of the preceding claims 1 to 7 by means of the computer program.
CN202010600264.6A 2020-06-28 2020-06-28 Registration method and device of mobile security equipment, storage medium and electronic device Active CN111901304B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010600264.6A CN111901304B (en) 2020-06-28 2020-06-28 Registration method and device of mobile security equipment, storage medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010600264.6A CN111901304B (en) 2020-06-28 2020-06-28 Registration method and device of mobile security equipment, storage medium and electronic device

Publications (2)

Publication Number Publication Date
CN111901304A true CN111901304A (en) 2020-11-06
CN111901304B CN111901304B (en) 2022-08-26

Family

ID=73207212

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010600264.6A Active CN111901304B (en) 2020-06-28 2020-06-28 Registration method and device of mobile security equipment, storage medium and electronic device

Country Status (1)

Country Link
CN (1) CN111901304B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014393A (en) * 2021-02-20 2021-06-22 中易通科技股份有限公司 Password safe box system based on hardware encryption and application method
CN114499989A (en) * 2021-12-30 2022-05-13 奇安信科技集团股份有限公司 Security device management method and device
CN115174180A (en) * 2022-06-28 2022-10-11 珠海奔图电子有限公司 Authentication method, authentication device, server and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060268744A1 (en) * 2005-04-27 2006-11-30 Canon Kabushiki Kaisha Communication apparatus and communication method
CN101312453A (en) * 2007-05-21 2008-11-26 联想(北京)有限公司 User terminal, method for login network service system, method for binding and debinding
CN104573516A (en) * 2014-12-25 2015-04-29 中国科学院软件研究所 Industrial control system trusted environment control method and platform based on safety chip
CN110299996A (en) * 2018-03-22 2019-10-01 阿里巴巴集团控股有限公司 Authentication method, equipment and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060268744A1 (en) * 2005-04-27 2006-11-30 Canon Kabushiki Kaisha Communication apparatus and communication method
CN101312453A (en) * 2007-05-21 2008-11-26 联想(北京)有限公司 User terminal, method for login network service system, method for binding and debinding
CN104573516A (en) * 2014-12-25 2015-04-29 中国科学院软件研究所 Industrial control system trusted environment control method and platform based on safety chip
CN110299996A (en) * 2018-03-22 2019-10-01 阿里巴巴集团控股有限公司 Authentication method, equipment and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014393A (en) * 2021-02-20 2021-06-22 中易通科技股份有限公司 Password safe box system based on hardware encryption and application method
CN114499989A (en) * 2021-12-30 2022-05-13 奇安信科技集团股份有限公司 Security device management method and device
CN115174180A (en) * 2022-06-28 2022-10-11 珠海奔图电子有限公司 Authentication method, authentication device, server and storage medium
CN115174180B (en) * 2022-06-28 2023-10-27 珠海奔图电子有限公司 Authentication method, authentication device, server and storage medium

Also Published As

Publication number Publication date
CN111901304B (en) 2022-08-26

Similar Documents

Publication Publication Date Title
CN109951489B (en) Digital identity authentication method, equipment, device, system and storage medium
US10437985B2 (en) Using a second device to enroll a secure application enclave
TWI735691B (en) Data key protection method, device and system
KR102493744B1 (en) Security Verification Method Based on Biometric Characteristics, Client Terminal, and Server
US9838205B2 (en) Network authentication method for secure electronic transactions
CN111901304B (en) Registration method and device of mobile security equipment, storage medium and electronic device
TW201918049A (en) Trusted remote attestation method, device and system capable of ensuring information security without causing an influence on the operation of the server terminal during the policy deployment process
US10931464B2 (en) Communication system, hardware security module, terminal device, communication method, and program
CN110874478B (en) Key processing method and device, storage medium and processor
CN112425114A (en) Password manager protected by public-private key pair
US11809540B2 (en) System and method for facilitating authentication via a short-range wireless token
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
CN111371726B (en) Authentication method and device for security code space, storage medium and processor
Abraham et al. SSI Strong Authentication using a Mobile-phone based Identity Wallet Reaching a High Level of Assurance.
CN111901303A (en) Device authentication method and apparatus, storage medium, and electronic apparatus
CN112966254B (en) Secure communication method and system for host and trusted cryptographic module
CN113366461A (en) Accessing firmware settings using asymmetric cryptography
CN107204959B (en) Verification method, device and system of verification code
CN110858246B (en) Authentication method and system of security code space, and registration method thereof
CN111506915A (en) Authorized access control method, device and system
CN109257381A (en) A kind of key management method, system and electronic equipment
CN114117388A (en) Device registration method, device registration apparatus, electronic device, and storage medium
CN112000935A (en) Remote authentication method, device, system, storage medium and computer equipment
US20210192493A1 (en) Method and system for implementing a virtual smart card service
JP6404928B2 (en) User information management system and user information management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant