CN112241527B - Secret key generation method and system of terminal equipment of Internet of things and electronic equipment - Google Patents
Secret key generation method and system of terminal equipment of Internet of things and electronic equipment Download PDFInfo
- Publication number
- CN112241527B CN112241527B CN202011481880.0A CN202011481880A CN112241527B CN 112241527 B CN112241527 B CN 112241527B CN 202011481880 A CN202011481880 A CN 202011481880A CN 112241527 B CN112241527 B CN 112241527B
- Authority
- CN
- China
- Prior art keywords
- terminal
- password module
- digital signature
- current
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The application provides a secret key generation method and system of terminal equipment of the Internet of things and electronic equipment. In the application, the private key is not generated by a device such as an internet of things terminal device, but the terminal and the server cooperate with each other to generate private key components, and any one end cannot recover the complete private key independently, so that the security of the private key is protected from being stolen illegally.
Description
Technical Field
The application relates to a data security technology, in particular to a key generation method and system for terminal equipment of the Internet of things and electronic equipment.
Background
In the application of the internet of things, a large amount of cryptographic operations are required to be applied to operations such as identity authentication and data encryption performed by terminal equipment of the internet of things (also referred to as terminal equipment for short). However, the cryptographic operation cannot secure its root-key, such as a private key, which easily results in key leakage. And key leakage can cause important data to be stolen, thereby bringing about a plurality of security problems.
Disclosure of Invention
The application provides a secret key generation method and system of terminal equipment of the Internet of things and electronic equipment, so as to protect a private key.
The embodiment of the application provides a secret key generation method, which is applied to terminal equipment of the Internet of things, wherein a terminal password module is deployed on the terminal equipment of the Internet of things, and the method comprises the following steps:
when a key generation event is detected by a terminal password module, if the terminal password module passes a first self-check and a second self-check, the current check parameter of the terminal equipment of the internet of things is sent to a server password module deployed on a server through the terminal password module for checking, so that the server password module performs a first key operation to generate a first private key component and generates a public key component according to the first private key component when the current check parameter passes the check; the first self-check is used for checking whether the set digital signature of the terminal password module is legal or not, and the second self-check is used for checking whether the running environment of the terminal password module is normal or not;
obtaining the public key component generated by the server side password module, performing second key operation through the terminal password module to generate a second private key component, and generating a target public key according to the second private key component and the public key component; the first private key component and the second private key component cooperatively decrypt ciphertext encrypted via the target public key and/or generate a digital signature; the target public key is used to encrypt data and/or verify the digital signature.
The embodiment of the application provides a key protection method, which is applied to a server, wherein a server cryptographic module is deployed on the server, and the server cryptographic module and a terminal cryptographic module deployed on terminal equipment of the Internet of things cooperate to generate a key; the method comprises the following steps:
receiving the current verification parameters sent by the terminal password module through the server password module;
verifying the current verification parameter, performing first key operation to generate a first private key component when the current verification parameter passes verification, generating a corresponding public key component according to the first private key component, and sending the public key component to the terminal cryptographic module so that the terminal cryptographic module generates a target public key according to the public key component and a second private key component, wherein the second private key component is generated by performing second key operation by the terminal cryptographic module when the current verification parameter passes verification of the server cryptographic module; the first private key component and the second private key component cooperate to generate a digital signature and/or decrypt a ciphertext encrypted via the target public key; the target public key is used to encrypt data and/or to verify the digital signature.
The embodiment of the application provides a secret key generation system, which comprises an Internet of things terminal device and a server, wherein a terminal password module is deployed on the Internet of things terminal device, and a server password module is deployed on the server;
when the terminal password module detects a key generation event, if the terminal password module passes a first self-check and a second self-check, sending a current verification parameter to the server password module for verification through the terminal password module;
the server-side password module verifies the received current verification parameters, performs first key operation to generate a first private key component when the current verification parameters pass verification, generates a corresponding public key component according to the first private key component, and sends the public key component to the terminal password module;
the terminal password module obtains the public key component, performs second key operation to generate a second private key component, and generates a target public key according to the second private key component and the public key component; the first private key component and the second private key component cooperate to generate a digital signature and/or decrypt a ciphertext encrypted via the target public key; the target public key is used to encrypt data and/or to verify the digital signature.
The embodiment of the application also provides the electronic equipment. The electronic device includes: a processor and a machine-readable storage medium;
the machine-readable storage medium stores machine-executable instructions executable by the processor;
the processor is configured to execute machine-executable instructions to implement the steps of the above-disclosed method.
According to the technical scheme, the private key is not generated by a device such as an internet of things terminal device, but the terminal and the server cooperate to generate private key components, and any one end cannot recover the complete private key independently, so that the security of the private key is protected from being stolen illegally.
Furthermore, in the application, through the first self-checking and the second self-checking, the generation of the private key is bound with the legality and the operating environment of the terminal password module, and only the terminal password module can execute the generation of the subsequent private key component after the first self-checking and the second self-checking, so that the private key component can be further generated in a safe environment, and the safety of the private key component is further protected.
Furthermore, in the application, the public key is not generated by a device, such as an internet of things terminal device, but generated by the terminal cryptographic module according to the locally generated second private key component and the public key component generated by the server according to the first private key component and the first random number, so that the private key component cannot be cracked based on the target public key even if the target public key is obtained, and the security of the private key component is further improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a flow chart of a method provided by an embodiment of the present application;
fig. 2 is a diagram of an application structure provided in an embodiment of the present application;
FIG. 3 is a flow chart of another method provided by an embodiment of the present application;
FIG. 4 is a flow chart of a digital signature provided by an embodiment of the present application;
FIG. 5 is a flowchart of decryption provided by an embodiment of the present application;
fig. 6 is a system configuration diagram provided in the embodiment of the present application;
FIG. 7 is a block diagram of an apparatus according to an embodiment of the present disclosure;
FIG. 8 is a block diagram of another apparatus according to an embodiment of the present disclosure;
fig. 9 is a structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
At present, security-sensitive parameters such as a private key are stored in a device at one end, for example, in a terminal device or in a server, which may cause the security-sensitive parameters such as the private key to be easily stolen or leaked. The following describes the present application with security sensitive parameters as private keys as examples:
in order to improve the security of the private key, the embodiment of the application provides the cooperative protection that the protected private key is dispersed in the terminal device and the server, and any end, such as the terminal device or the server, cannot independently recover the complete private key, so that the security of the private key is ensured and the private key cannot be illegally stolen. This is described in detail below with reference to fig. 1:
referring to fig. 1, fig. 1 is a flowchart of a method provided in an embodiment of the present application. The process is applied to the terminal equipment. In order to protect security sensitive parameters such as a private key, a new module (denoted as a terminal cryptographic module) is introduced into the terminal device, and a new module (denoted as a server cryptographic module) is also introduced into the server. Fig. 2 shows an application structure between the terminal device and the server by way of example. In this embodiment, the terminal cryptographic module and the server cryptographic module may be implemented by software or hardware.
In this embodiment, the terminal cryptographic module and the server cooperate to generate private key components of a private key required for cryptographic operation, and encrypt and store the generated private key components respectively. Even if the private key component stored at one end is illegally stolen, the private key component cannot be used because the private key component is incomplete, so that the security of the private key is improved. The flow shown in fig. 1 is described below:
as shown in fig. 1, the process may include the following steps:
In this embodiment, the terminal cryptographic module provides a key generation function. When it is determined that a key needs to be generated, then the key generation function may be enabled or triggered. Alternatively, when it is detected that the key generation function is triggered or enabled, it means that a key generation event is detected.
In this embodiment, the first self-check and the second self-check are performed before the terminal cryptographic module normally operates.
Optionally, in this embodiment, the first self-check is configured to check whether the digital signature set by the terminal cryptographic module is legal, and specifically may include:
step a1, obtaining a preset public key for verifying the digital signature set by the terminal password module.
Alternatively, the preset public key may be a public key negotiated by the terminal device and the server. Optionally, in this embodiment, the digital signature may be performed according to a private key negotiated between the terminal device and the server. As for the format of the digital signature, the present embodiment is not particularly limited, and may be, for example, an SM2 digital signature.
Step a2, checking whether the digital signature set by the terminal password module is legal through a preset public key, if so, determining that the terminal password module passes the first self-check, otherwise, determining that the terminal password module does not pass the first self-check.
Optionally, in this embodiment, the method for verifying the digital signature according to the preset public key is similar to the existing digital signature verification method, and details are not described here.
So far, the description of the first self-test is completed.
Optionally, in this embodiment, the second self-check is configured to check whether the operating environment of the terminal cryptographic module is normal, and specifically may include:
step b1, an attempt is made to start a running process for running the terminal cryptographic module.
Initially, a process (herein referred to as a run process) for running the terminal cryptographic module is configured for the terminal cryptographic module. When the step b1 is executed, the running process is started.
Step b2, obtaining process attribute parameters of the running process after starting, if the process attribute parameters meet the process requirements, determining that the running environment of the terminal cryptographic module is normal, the terminal cryptographic module passes the second self-check, otherwise, determining that the running environment of the terminal cryptographic module is abnormal, and the terminal cryptographic module does not pass the second self-check.
Optionally, there are many process attribute parameters, such as a process file status attribute, a parameter (tracerpd) value for indicating process debugging, and the like. Taking the tracer pid value as an example, if the tracer pid value is not the specified value such as 0, then the passive debugging is considered, and at this time, the current operating environment is considered to be abnormal (also called abnormal), otherwise, when the tracer pid value is the specified value such as 0, then the current normal operation is considered, and the operating environment is normal.
So far, the description of the second self-test is completed.
In this embodiment, as described in step 101 above, when the key generation event is detected by the terminal cryptographic module, if the terminal cryptographic module has passed the first self-check and the second self-check, the current verification parameters of the terminal device may be obtained by the terminal cryptographic module. Optionally, the current verification parameter here is a real-time parameter, for example, a parameter input dynamically from the outside, or a current real-time status parameter of the terminal device, and the current verification parameter will be described in the following by way of example, and will not be described herein again.
And then, after the current verification parameters of the terminal equipment are obtained through the terminal password module, the current verification parameters are sent to the server password module through the terminal password module. When the server cryptographic module receives the current verification parameter, the process shown in fig. 3 is executed. Briefly summarizing the flow shown in fig. 3, the following may be mentioned: the server-side password module verifies the current verification parameter, and the first verification is carried out when the current verification parameter passes the verificationThe key operation generates a first private key component (denoted as f)1) And according to the first private key component f1And generating a public key component and sending the public key component to the terminal password module.
When the terminal cryptographic module learns that the current verification parameter passes the verification of the server cryptographic module, the following step 102 is executed. Optionally, the server-side cryptographic module may send a verification passing instruction to the terminal cryptographic module when the current verification parameter passes verification. And when the terminal password module receives the verification passing instruction, the terminal password module acquires that the current verification parameters pass the verification of the server password module.
102, obtaining the public key component generated by the server side password module, performing second key operation through the terminal password module to generate a second private key component, and generating a target public key according to the second private key component and the public key component; the first private key component and the second private key component cooperatively decrypt a ciphertext encrypted via the target public key and/or generate a digital signature; the target public key is used to encrypt data and/or verify the digital signature.
Optionally, the verification passing instruction may carry the public key component, and when the terminal cryptographic module receives the verification passing instruction, the public key component carried by the verification passing instruction may be obtained.
In this embodiment, there are many implementation manners for generating the second private key component through the terminal cryptographic module performing the second key operation, but the second private key component finally generated by any implementation manner meets the standard of the standard key algorithm, such as the national cryptographic algorithm.
Optionally, a second key operation is performed by the terminal cryptographic module to generate a second private key component (denoted as f)2) The method can be realized by the following steps: generating a random number d using an existing random number generator0(d0∈[1,n-2]) A random number d0Determined as the second private key component f2. It should be noted that the second private key component f is described here by way of example only2The generation method (2) is not limited. Optionally, in this embodiment, when the second secret is generated by the terminal password moduleKey component f2Thereafter, the second private key component f may be further processed2Encryption is performed. As an embodiment, this embodiment may derive an encryption key (for example, a 128-bit symmetric key) by using the device identifier of the terminal device, the application identifier of the legitimate application, and the user identifier of the legitimate user, and use the encryption key to pair the second private key component f2Encryption is performed.
Optionally, as described above, after the server-side cryptographic module generates the public key component according to the first private key component and the first random number, the server-side cryptographic module further sends the public key component to the terminal cryptographic module, for example, the public key component is carried in the verification pass instruction and sent to the terminal cryptographic module. Based on this, the terminal cryptographic module depends on the second private key component f, as depicted in step 1022And generating the target public key by the public key component. As an example, step 102 is based on the second private key component f2There are various ways for generating the target public key according to the public key component, for example, according to the following formula 1:
G0= f2 -1[*]g1[-]g (formula 1)
Wherein G is0Representing the target public key, f2Representing the second private key component, g1Representing the public key component, G representing a predetermined base point, being a finite field FqA set of upper elliptic curve system parameters. [*]Indicate point riding [ -]Indicating a point subtraction.
It should be noted that formula 1 is only an example of generating the target public key, and is not limited thereto, and this embodiment may set another algorithm according to actual requirements to depend on the second private key component f2And generating the target public key by the public key component.
Thus, the flow shown in fig. 1 is completed.
As can be seen from the flow shown in fig. 1, in this embodiment, the private key is not autonomously generated by one device, such as a terminal device, but both terminals of the terminal and the server cooperate to generate private key components, and any terminal cannot recover the complete private key independently, so that the security of the private key is protected from being stolen illegally.
Further, in this embodiment, through the first self-check and the second self-check, the generation of the private key is bound to the legitimacy and the operating environment of the terminal cryptographic module, and only the terminal cryptographic module can execute the generation of the subsequent private key component after passing through the first self-check and the second self-check, which can further ensure that the private key component is generated in a secure environment, and further protect the security of the private key component.
Furthermore, in this embodiment, the public key is not generated by a device, such as a terminal device, but generated by the terminal cryptographic module according to the locally generated second private key component and the public key component generated by the server according to the first private key component, which realizes that the private key component is not cracked based on the target public key even if the target public key is known, and further improves the security of the private key component.
The above is the present application embodiment described from the perspective of standing at the terminal device, and the following is a method provided by the present application embodiment and continuously described from the perspective of standing at the server side:
referring to fig. 3, fig. 3 is a flow chart of another method provided by the embodiment of the present application. The process is applied to the server side cryptographic module deployed on the server side. As shown in fig. 3, the process may include the following steps:
As an embodiment, the sending, by the terminal cryptographic module, the current verification parameter to the server cryptographic module for verification may include: and acquiring a binding relationship among a current equipment identification code, a current application identification and a current user identification which are input from the outside, and sending the binding relationship among the current equipment identification code, the current application identification and the current user identification to the server side password module for verification through the terminal password module. The current device identification code is used for representing the terminal device, and may be represented by at least one of a device serial number, a device software version number, and a device hardware version number, for example. The current application identifier is used to represent an application on the terminal device, and may be an application name, for example. The current user identity is used to represent the user, such as an access control PIN code that may be the user.
Based on this, when the step 301 is executed, the checking the current checking parameter through the server-side cryptographic module may include: if the current verification parameters include: and if so, determining that the current verification parameter passes verification, and if not, determining that the current verification parameter does not pass verification. Here, the legal binding relationship corresponds to the terminal cryptographic module, and the legal binding relationship (which may include a binding relationship among a legal device identification code, a legal application identification, and a legal user identification) can be obtained by sending the terminal device to the server in the terminal device initialization process.
As another embodiment, the sending, by the terminal cryptographic module, the current verification parameter to the server cryptographic module for verification may include: obtaining current state parameters of a terminal device, wherein the current state parameters are used for representing the current state of the terminal device, and the current state parameters at least comprise at least one of the following parameters: running state of a kernel/operating system, process list information in running state in the terminal equipment, existing file list information in the terminal equipment, network flow use condition of the terminal equipment, CPU occupation ratio in the terminal equipment and memory occupation ratio; and sending the current state parameters to the server side password module through the terminal password module for verification.
Based on this, when the step 301 is executed, the checking the current checking parameter through the server-side cryptographic module may include: and verifying whether the current state parameter is legal or not according to the obtained legal state parameter, if so, determining that the current verification parameter passes verification, and if not, determining that the current verification parameter does not pass verification. For example, if the current state parameter is the CPU occupancy, the corresponding valid state parameter may be the CPU occupancy threshold, based on which it may be verified whether the current state parameter, that is, the current CPU occupancy, is greater than or equal to the valid state parameter, that is, the CPU occupancy threshold, if so, it is determined that the current state parameter, that is, the current CPU occupancy passes the verification, and if not, it is determined that the current state parameter, that is, the current CPU occupancy does not pass the verification. And the like, and other parameters are similar, which are not exemplified here.
As another embodiment, the sending, by the terminal cryptographic module, the current verification parameter to the server cryptographic module for verification may include: the method comprises the steps of obtaining a binding relation among a current equipment identification code, a current application identification and a current user identification which are input from the outside, sending the binding relation among the current equipment identification code, the current application identification and the current user identification to a server side password module through a terminal password module for verification, obtaining current state parameters of the terminal equipment through the terminal password module when the binding relation among the current equipment identification code, the current application identification and the current user identification passes the verification of the server side password module, and sending the current state parameters to the server side password module through the terminal password module for verification. By applying the embodiment, the way for the server-side password module to verify the binding relationship among the current device identification code, the current application identification and the current user identification and to verify the current state parameter is as described above.
The above describes that the current verification parameter sent by the terminal cryptographic module is received by the server cryptographic module in step 301, and the current verification parameter is verified. When the current verification parameter passes the verification, the following step 302 is executed.
Optionally, in this step 302, a first key operation is performed to generate a first private key scoreQuantity (noted as f)1) There are many ways of generating a random number d, for example, using an existing random number generator1(d1∈[1,n-2]) A random number d1Determined as the first private key component f1. It should be noted that the first private key partition f is described here by way of example only1The manner of generating the amount is not intended to be limiting. As an example, in this embodiment, the first private key component f1Storage may be encrypted by a cryptographic card that is authenticated, such as a cryptographic card that is authenticated via the national crypto-authority.
Optionally, in this embodiment, in this step 302, the first secret key component f is determined according to1There are also many implementations of generating the corresponding public key component, such as the following: public key component = f1 -1[*]G。
The flow shown in fig. 3 is completed.
As can be seen from the flow shown in fig. 3, in this embodiment, the server and the terminal generate private key components in cooperation, and any end cannot recover the complete private key, so that the security of the private key is protected from being stolen illegally.
Further, in this embodiment, the server generates the public key component according to the first private key component, and the purpose of the public key component is to facilitate the terminal cryptographic module to generate a final target public key according to the public key component and the locally generated second private key component, which realizes that the private key component cannot be decrypted based on the target public key, and further improves the security of the private key component.
As described above, the first private key component and the second private key component cooperate to generate a digital signature, as described below:
referring to fig. 4, fig. 4 is a flow chart of digital signature provided in the embodiment of the present application. As shown in fig. 4, the process may include the following steps:
Alternatively, in this embodiment, the first random number is named only for convenience of description, and may be denoted as k1. In this embodiment, a first random number k is used1There are many ways to perform the first digital signature operation to obtain the corresponding digital signature intermediate value, for example, generate the message digest e of the target communication data, and calculate the first random number k1[*]G obtains a dot product result (denoted as dot product Q), and the message digest e and the dot product Q are used as the digital signature reference value.
Optionally, there are many implementation forms for performing the second digital signature operation according to the first private key component, the second random number, and the digital signature reference value carried in the digital signature request to obtain the digital signature component in this step 402, for example, if the digital signature reference value is the message digest e and the dot product Q, then performing the second digital signature operation according to the first private key component, the second random number, and the digital signature reference value carried in the digital signature request to obtain the digital signature component may be: if the second random number is k21、k22Then calculate k21[*]G[+]k21[*]Q yields point (x1, y 1); calculating an intermediate value r = (x1+ e) mod n, n being the order of the base point G; calculating the intermediate value s2=(f1*k22) mod n; calculating the intermediate value s3=((f1*(r+k21) Mod n), the intermediate values r, s2Middle value s3Determined as the above-mentioned digital signature component.
And 403, the client cryptographic module receives the digital signature response returned by the server cryptographic module, and performs a third digital signature operation by using the first random number, the second private key component and the digital signature component carried by the digital signature response to obtain a target digital signature.
Optionally, in this embodiment, there are many implementation forms for performing a third digital signature operation by using the first random number, the second private key component, and the digital signature component carried by the digital signature response to obtain the target digital signature, such as: using the above-mentioned digital signature component as intermediate value r and intermediate value s2Middle value s3For example, the third digital signature operation performed by using the second private key component and the digital signature component carried in the digital signature response to obtain the target digital signature may be: calculating s0=((f2*k1) Intermediate value s2+f2*s3Intermediate value r) mod n, will (r, s)0) Determined as the target digital signature.
The flow shown in fig. 4 is completed.
Through the flow shown in fig. 4, the first private key component at the server side and the second private key component at the terminal side are cooperatively used to generate the target digital signature of the target communication data, so that the target digital signature is not easy to crack. And then, the target digital signature can be verified by the target public key, and the specific signature verification mode is similar to the existing signature verification mode and is not described again here.
As described above, the first private key component and the second private key component cooperate to decrypt a ciphertext encrypted via the target public key, as described below:
referring to fig. 5, fig. 5 is a flowchart of decryption provided in an embodiment of the present application. As shown in fig. 5, the process may include the following steps:
Optionally, in this embodiment, a third random number (denoted as k) is used3) There are many ways of implementing the first decryption operation to obtain the corresponding decryption reference value, for example, taking out the bit string C from the ciphertext according to the national cipher standard1C is calculated according to the method given by the national secret standard such as GM/T0003.11Data of (2)Type conversion to points on an elliptic curve, verification C1Whether an elliptic curve equation is satisfied, if so, calculating an elliptic curve point S = [ h =]C1Whether the point is an infinite point or not, if so, calculating T1=k3[*]C1Will T1Determined as the above-mentioned decryption reference value.
And 502, the server side password module receives the decryption request sent by the terminal password module, performs second decryption operation according to the first private key component and the decryption reference value carried by the decryption request to obtain a decryption component, and carries the decryption component in a decryption response to return to the terminal password module.
Optionally, in this embodiment, there are many implementation forms for obtaining the decryption component by performing the first decryption operation according to the first private key component and the decryption reference value carried by the decryption request, for example, if the decryption reference value is the above-mentioned T1Then, performing a second decryption operation according to the first private key component and the decryption reference value carried by the decryption request to obtain a decryption component: calculating T2=f1 -1[*]T1Will T2Determined as the decrypted component described above.
Optionally, in this embodiment, there are many implementation manners for performing a third decryption operation by using the second private key component, the third random number, the decryption component carried in the decryption response, and the ciphertext to obtain the plaintext, for example, if the decryption component is the above-mentioned T2, the plaintext may be decrypted according to the following manners: calculating (x 2, y 2) = k3-1[*]f2-1[*]T2[-]C1; calculating t = KDF (x 2| | y2, klen), KDF () representing a key derivation function, and integer klen representing the bit length of key data to be obtained; the result obtained by t ≦ C2 is determined as plaintext, where C2 is a bit string taken out of the ciphertext. It should be noted that, the description here is only for example how to obtain the plaintext by performing the third decryption operation on the second private key component, the decryption component carried in the decryption response, and the ciphertext, and is not limited.
The flow shown in fig. 5 is completed.
The first private key component and the second private key component cooperatively decrypt the ciphertext encrypted by the target public key through the process shown in fig. 5.
The method provided by the embodiment of the present application is described above, and the system provided by the embodiment of the present application is described below:
referring to fig. 6, fig. 6 is a structural diagram of a key generation system according to an embodiment of the present application. As shown in fig. 6, the system includes a terminal device and a server. And a terminal password module is deployed on the terminal equipment, and a server password module is deployed on the server.
When the terminal password module detects a key generation event, if the terminal password module passes the first self-check and the second self-check, the current verification parameters are sent to the server password module through the terminal password module for verification;
the server-side password module verifies the received current verification parameters, performs first key operation to generate a first private key component when the current verification parameters pass verification, generates a corresponding public key component according to the first private key component, and sends the public key component to the terminal password module;
the terminal password module carries out second key operation to generate a second private key component when the current verification parameter passes verification; generating a target public key according to the second private key component and the public key component; the first private key component and the second private key component cooperate to generate a digital signature and/or decrypt a ciphertext encrypted via the target public key; the target public key is used to encrypt data and/or to verify the digital signature.
Correspondingly, the embodiment of the application also provides a device applied to the terminal password module. Referring to fig. 7, fig. 7 is a structural diagram of an apparatus according to an embodiment of the present disclosure. The device is applied to the terminal password module. As shown in fig. 7, the apparatus may include:
a detection unit for detecting a key generation event;
the cooperation unit is used for sending the current verification parameters of the terminal equipment to a server-side password module deployed on a server for verification if the terminal password module passes a first self-verification and a second self-verification when the detection unit detects a key generation event, so that the server-side password module performs first key operation to generate a first private key component and generates a public key component according to the first private key component when the current verification parameters pass the verification; the first self-check is used for checking whether the set digital signature of the terminal password module is legal or not, and the second self-check is used for checking whether the running environment of the terminal password module is normal or not;
the key unit is used for obtaining the public key component, performing second key operation to generate a second private key component, and generating a target public key according to the second private key component and the public key component; the first private key component and the second private key component cooperatively decrypt ciphertext encrypted via the target public key and/or generate a digital signature; the target public key is used to encrypt data and/or verify the digital signature.
Optionally, the first self-test is implemented by: acquiring a preset public key for verifying the digital signature set by the terminal password module; and verifying whether the set digital signature of the terminal password module is legal or not through the preset public key, if so, determining that the terminal password module passes the first self-check, otherwise, determining that the terminal password module does not pass the first self-check.
Optionally, the second self-test is implemented by: attempting to start a running process for running the terminal cryptographic module; and acquiring process attribute parameters of the running process after the running process is started, if the process attribute parameters meet process requirements, determining that the running environment of the terminal password module is normal, and the terminal password module passes a second self-check, otherwise, determining that the running environment of the terminal password module is abnormal, and the terminal password module does not pass the second self-check.
Optionally, the sending, by the coordination unit, the current verification parameter to the server cryptographic module for verification includes:
acquiring a binding relationship among a current equipment identification code, a current application identification and a current user identification which are input externally, and sending the binding relationship among the current equipment identification code, the current application identification and the current user identification to the server password module for verification; the current equipment identification code is used for representing the terminal equipment, the current application identification is used for representing an application on the terminal equipment, and the current user identification is used for representing a user;
alternatively, the first and second electrodes may be,
obtaining current state parameters of the terminal device, where the current state parameters are used to represent a current state of the terminal device, and the current state parameters at least include at least one of the following parameters: running state of a kernel/operating system, process list information in running state in the terminal equipment, existing file list information in the terminal equipment, network flow use condition of the terminal equipment, CPU occupation ratio in the terminal equipment and memory occupation ratio; sending the current state parameter to the server-side password module for verification;
alternatively, the first and second electrodes may be,
acquiring a binding relationship among the current equipment identification code, the current application identification and the current user identification which are input from the outside, and sending the binding relationship among the current equipment identification code, the current application identification and the current user identification to the server-side password module for verification; and when the binding relationship among the current equipment identification code, the current application identification and the current user identification is verified by the server-side password module, obtaining the current state parameter of the terminal equipment, and sending the current state parameter to the server-side password module for verification.
Optionally, when the key unit performs digital signature on the target communication data, and when the key unit performs digital signature on the target communication data, the key unit performs a first digital signature operation by using a first random number to obtain a corresponding digital signature reference value, and sends a digital signature request to the server cryptographic module; the digital signature request carries the digital signature reference value; receiving a digital signature response returned by the server side password module, wherein the digital signature response carries a digital signature component; the digital signature component is obtained by the server side password module through second digital signature operation according to the first private key component, the digital signature reference value and a second random number; and performing third digital signature operation by using the first random number, the second private key component and the digital signature component to obtain a target digital signature.
Optionally, when decrypting the ciphertext encrypted by the target public key, the key unit performs a first decryption operation by using a third random number to obtain a corresponding decryption reference value, and sends a decryption request to the server-side cryptographic module; the decryption request carries the decryption reference value; receiving a decryption response returned by the server side password module, wherein the decryption response carries a decryption component; the decryption component is obtained by performing second decryption operation according to the first private key component and the decryption reference value; and performing a third decryption operation by using the second private key component, the third random number, the decryption component and the ciphertext to obtain a plaintext.
Thus, the description of the structure of the apparatus shown in fig. 7 is completed.
Correspondingly, the application also provides a device structure diagram of the cryptographic module of the application server. Referring to fig. 8, fig. 8 is a structural diagram of another apparatus according to an embodiment of the present disclosure. As shown in fig. 8, the apparatus may include:
the verification unit is used for receiving the current verification parameters sent by the terminal password module and verifying the current verification parameters;
the key unit is used for performing first key operation to generate a first private key component when the current verification parameter passes verification, generating a corresponding public key component according to the first private key component, and sending the public key component to the terminal cryptographic module so that the terminal cryptographic module generates a target public key according to the public key component and a second private key component, wherein the second private key component is generated by performing second key operation by the terminal cryptographic module when the current verification parameter passes verification of the server cryptographic module; the first private key component and the second private key component cooperate to generate a digital signature and/or decrypt a ciphertext encrypted via the target public key; the target public key is used to encrypt data and/or to verify the digital signature.
Optionally, the verifying unit further obtains a legal binding relationship corresponding to the terminal cryptographic module, where the legal binding relationship includes: binding relation among legal equipment identification code, legal application identification and legal user identification; and/or the presence of a gas in the gas,
obtaining legal state parameters of the terminal equipment bound with the terminal password module; the legal state parameters at least comprise at least one of the following parameters: legal running state of kernel/operating system, legal process list information in running state in the terminal equipment, legal file list information existing in the terminal equipment, legal network flow using condition of the terminal equipment, legal occupation rate of CPU in the terminal equipment and legal occupation rate of memory;
based on this, the checking the current checking parameter by the checking unit includes:
if the current verification parameter comprises: if the legal binding relationship exists, determining that the current verification parameter passes verification, and if not, determining that the current verification parameter does not pass verification;
if the current verification parameter comprises: and verifying whether the current state parameter is legal or not according to the existing legal state parameter of the terminal equipment, if so, determining that the current verification parameter passes verification, and if not, determining that the current verification parameter does not pass verification.
Optionally, the key unit further receives a digital signature request sent by the terminal cryptographic module; the digital signature request carries a digital signature reference value, and the digital signature reference value is obtained by performing first digital signature operation on target communication data by using a first random number when the terminal password module performs digital signature on the target communication data; carrying out second digital signature operation according to the first private key component, the digital signature reference value and the second random number to obtain a digital signature component, carrying the digital signature component in a digital signature response, and returning the digital signature component to the terminal password module, so that the terminal password module carries out third digital signature operation by using the first random number, the second private key component and the digital signature component to obtain a target digital signature; and/or the presence of a gas in the gas,
receiving a decryption request sent by the terminal password module; the decryption request carries a decryption reference value, and the decryption reference value is obtained by performing a first decryption operation on a ciphertext encrypted by the target public key by using a third random number when the terminal password module decrypts the ciphertext encrypted by the target public key; and carrying out second decryption operation according to the first private key component and the decryption reference value to obtain a decryption component, carrying the decryption component in a decryption response, returning the decryption response to the terminal password module, and carrying out third decryption operation by the terminal password module by using the second private key component, the third random number, the decryption component and the ciphertext to obtain a plaintext.
Thus, the description of the structure of the apparatus shown in fig. 8 is completed.
The embodiment of the application also provides a hardware structure of the device shown in fig. 7 or fig. 8. Referring to fig. 9, fig. 9 is a structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 9, the hardware structure may include: a processor and a machine-readable storage medium having stored thereon machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement the methods disclosed in the above examples of the present application.
Based on the same application concept as the method, embodiments of the present application further provide a machine-readable storage medium, where several computer instructions are stored, and when the computer instructions are executed by a processor, the method disclosed in the above example of the present application can be implemented.
The machine-readable storage medium may be, for example, any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (11)
1. A secret key generation method of terminal equipment of the Internet of things is characterized in that the method is applied to the terminal equipment of the Internet of things, a terminal password module for realizing the method is newly deployed on the terminal equipment of the Internet of things, and the method comprises the following steps:
when a key generation event is detected by a terminal password module, if the terminal password module passes a first self-check and a second self-check, acquiring a binding relationship among a current equipment identification code, a current application identification and a current user identification, sending the binding relationship among the current equipment identification code, the current application identification and the current user identification to a server password module by the terminal password module, and when the binding relationship among the current equipment identification code, the current application identification and the current user identification passes the check of the server password module, sending a current state parameter of the internet of things terminal equipment to a newly deployed server password module which is used for generating a password operation in cooperation with the terminal password module to check by the terminal password module, so that the server password module generates a first private key component by performing a first key operation when the current state parameter passes the check Generating a public key component according to the first private key component; the current state parameter is used for representing the current state of the terminal equipment of the Internet of things, the first self-check is used for checking whether the set digital signature of the terminal password module is legal or not, and the second self-check is used for checking whether the running environment of the terminal password module is normal or not;
obtaining the public key component generated by the server side password module, performing second key operation through the terminal password module to generate a second private key component, and generating a target public key according to the second private key component and the public key component; the first private key component and the second private key component cooperatively decrypt ciphertext encrypted via the target public key and/or generate a digital signature; the target public key is used to encrypt data and/or verify the digital signature.
2. The method of claim 1, wherein the first self-test is performed by:
acquiring a preset public key for verifying the digital signature set by the terminal password module;
and verifying whether the set digital signature of the terminal password module is legal or not through the preset public key, if so, determining that the terminal password module passes the first self-check, otherwise, determining that the terminal password module does not pass the first self-check.
3. The method of claim 1, wherein the second self-test is performed by:
attempting to start a running process for running the terminal cryptographic module;
and acquiring process attribute parameters of the running process after the running process is started, if the process attribute parameters meet process requirements, determining that the running environment of the terminal password module is normal, and the terminal password module passes a second self-check, otherwise, determining that the running environment of the terminal password module is abnormal, and the terminal password module does not pass the second self-check.
4. The method of claim 1, wherein the current state parameters comprise at least one of: the method comprises the steps of running state of a kernel/operating system, process list information in running state in the terminal equipment of the Internet of things, existing file list information in the terminal equipment of the Internet of things, network flow using condition of the terminal equipment of the Internet of things, occupation ratio of a CPU in the terminal equipment of the Internet of things and occupation ratio of a memory.
5. The method of claim 1, further comprising:
when the target communication data is digitally signed, performing first digital signature operation by using a first random number to obtain a corresponding digital signature reference value, and sending a digital signature request to the server side password module; the digital signature request carries the digital signature reference value;
receiving a digital signature response returned by the server side password module, wherein the digital signature response carries a digital signature component; the digital signature component is obtained by the server side password module through second digital signature operation according to the first private key component, the digital signature reference value and a second random number;
and performing third digital signature operation by using the first random number, the second private key component and the digital signature component to obtain a target digital signature.
6. The method of claim 1, further comprising:
when the ciphertext encrypted by the target public key is decrypted, a first decryption operation is carried out by utilizing a third random number to obtain a corresponding decryption reference value, and a decryption request is sent to the server side password module; the decryption request carries the decryption reference value;
receiving a decryption response returned by the server side password module, wherein the decryption response carries a decryption component; the decryption component is obtained by performing second decryption operation according to the first private key component and the decryption reference value;
and performing a third decryption operation by using the second private key component, the third random number, the decryption component and the ciphertext to obtain a plaintext.
7. A key protection method for terminal equipment of the Internet of things is characterized in that the method is applied to a server side in the Internet of things, a server side cryptographic module for realizing the method is deployed on the server side, and the server side cryptographic module and a terminal cryptographic module newly deployed on the terminal equipment of the Internet of things cooperate to generate a key; the method comprises the following steps:
acquiring a binding relationship among a current equipment identification code, a current application identification and a current user identification which are sent by the terminal password module after passing through the first self-check and the second self-check through the server password module;
the binding relationship among the current equipment identification code, the current application identification and the current user identification is verified through the server side password module, and the current state parameter sent by the terminal password module is received through the server side password module when the binding relationship among the current equipment identification code, the current application identification and the current user identification passes the verification of the server side password module; the current state parameter is used for representing the current state of the terminal equipment of the Internet of things;
checking the current state parameter, performing first key operation to generate a first private key component when the current state parameter passes the checking, generating a corresponding public key component according to the first private key component, and sending the public key component to the terminal cryptographic module so that the terminal cryptographic module generates a target public key according to the public key component and a second private key component, wherein the second private key component is generated by performing second key operation by the terminal cryptographic module when the current state parameter passes the checking of the server cryptographic module; the first private key component and the second private key component cooperate to generate a digital signature and/or decrypt a ciphertext encrypted via the target public key; the target public key is used to encrypt data and/or to verify the digital signature.
8. The method of claim 7, further comprising:
obtaining a legal binding relationship corresponding to the terminal password module, wherein the legal binding relationship comprises: binding relation among legal equipment identification code, legal application identification and legal user identification; and/or obtaining legal state parameters of the terminal equipment of the Internet of things bound with the terminal password module; the legal state parameters at least comprise at least one of the following parameters: the legal operation state of a kernel/operating system, the legal process list information in the terminal equipment of the Internet of things, the existing legal file list information in the terminal equipment of the Internet of things, the legal network flow use condition of the terminal equipment of the Internet of things, the legal occupancy of a CPU (Central processing Unit) in the terminal equipment of the Internet of things and the legal occupancy of a memory;
the verifying the binding relationship among the current equipment identification code, the current application identification and the current user identification through the server password module comprises the following steps:
verifying whether a binding relationship containing a current equipment identification code, a current application identification and a current user identification exists in the legal binding relationship, if so, determining that the binding relationship passes the verification, and if not, determining that the binding relationship does not pass the verification;
the checking the current state parameter comprises:
and verifying whether the current state parameter is legal or not according to the existing legal state parameter, if so, determining that the current state parameter passes the verification, and if not, determining that the current state parameter does not pass the verification.
9. The method of claim 7, further comprising:
receiving a digital signature request sent by the terminal password module; the digital signature request carries a digital signature reference value, and the digital signature reference value is obtained by performing first digital signature operation on target communication data by using a first random number when the terminal password module performs digital signature on the target communication data; carrying out second digital signature operation according to the first private key component, the digital signature reference value and the second random number to obtain a digital signature component, carrying the digital signature component in a digital signature response, and returning the digital signature component to the terminal password module, so that the terminal password module carries out third digital signature operation by using the first random number, the second private key component and the digital signature component to obtain a target digital signature; and/or the presence of a gas in the gas,
receiving a decryption request sent by the terminal password module; the decryption request carries a decryption reference value, and the decryption reference value is obtained by performing a first decryption operation on a ciphertext encrypted by the target public key by using a third random number when the terminal password module decrypts the ciphertext encrypted by the target public key; and carrying out second decryption operation according to the first private key component and the decryption reference value to obtain a decryption component, carrying the decryption component in a decryption response, returning the decryption response to the terminal password module, and carrying out third decryption operation by the terminal password module by using the second private key component, the third random number, the decryption component and the ciphertext to obtain a plaintext.
10. A key generation system of terminal equipment of the Internet of things is characterized by comprising the terminal equipment of the Internet of things and a server, wherein a terminal password module is deployed on the terminal equipment of the Internet of things, and a server password module is deployed on the server;
when the terminal password module detects a key generation event, if the terminal password module is found to pass a first self-check and a second self-check, acquiring a binding relationship among a current equipment identification code, a current application identification and a current user identification, sending the binding relationship among the current equipment identification code, the current application identification and the current user identification to a server password module, and when the binding relationship among the current equipment identification code, the current application identification and the current user identification is verified by the server password module, sending current state parameters of the terminal equipment of the internet of things to a server password module which is newly deployed on a server and used for generating a password operation in cooperation with the terminal password module for verification; the current state parameter is used for representing the current state of the terminal equipment of the Internet of things, the first self-check is used for checking whether the set digital signature of the terminal password module is legal or not, and the second self-check is used for checking whether the running environment of the terminal password module is normal or not;
the server side password module obtains a binding relationship among a current equipment identification code, a current application identification and a current user identification which are sent by the terminal password module after passing through a first self-check and a second self-check; checking the binding relationship among the current equipment identification code, the current application identification and the current user identification, and receiving the current state parameter sent by the terminal password module after the binding relationship among the current equipment identification code, the current application identification and the current user identification is checked; checking the current state parameter, performing first key operation to generate a first private key component when the current state parameter passes the checking, generating a corresponding public key component according to the first private key component, and sending the public key component to the terminal password module;
the terminal password module obtains the public key component, performs second key operation to generate a second private key component, and generates a target public key according to the second private key component and the public key component; the first private key component and the second private key component cooperate to generate a digital signature and/or decrypt a ciphertext encrypted via the target public key; the target public key is used to encrypt data and/or to verify the digital signature.
11. An electronic device, comprising: a processor and a machine-readable storage medium;
the machine-readable storage medium stores machine-executable instructions executable by the processor;
the processor is configured to execute machine executable instructions to perform the method steps of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011481880.0A CN112241527B (en) | 2020-12-15 | 2020-12-15 | Secret key generation method and system of terminal equipment of Internet of things and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011481880.0A CN112241527B (en) | 2020-12-15 | 2020-12-15 | Secret key generation method and system of terminal equipment of Internet of things and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112241527A CN112241527A (en) | 2021-01-19 |
| CN112241527B true CN112241527B (en) | 2021-04-27 |
Family
ID=74175213
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011481880.0A Active CN112241527B (en) | 2020-12-15 | 2020-12-15 | Secret key generation method and system of terminal equipment of Internet of things and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112241527B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112926075B (en) * | 2021-03-26 | 2023-01-24 | 成都卫士通信息产业股份有限公司 | SM9 key generation method, device, equipment and storage medium |
| CN115001869B (en) * | 2022-08-01 | 2022-10-28 | 徐州捷科思网络科技有限公司 | Encryption transmission method and system |
| CN116032655B (en) * | 2023-02-13 | 2023-07-25 | 杭州天谷信息科技有限公司 | Identity authentication method and system capable of resisting timing attack |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111200502A (en) * | 2020-01-03 | 2020-05-26 | 信安神州科技(广州)有限公司 | Collaborative digital signature method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3051744B1 (en) * | 2013-10-28 | 2019-01-02 | Huawei Device (Dongguan) Co., Ltd. | Key configuration method and apparatus |
| CN105610648B (en) * | 2016-01-11 | 2019-08-09 | 飞天诚信科技股份有限公司 | A kind of acquisition method and server of O&M monitoring data |
| CN107196763B (en) * | 2017-07-06 | 2020-02-18 | 数安时代科技股份有限公司 | SM2 algorithm collaborative signature and decryption method, device and system |
| CN111654378B (en) * | 2020-05-28 | 2021-01-05 | 广东纬德信息科技股份有限公司 | Data security self-checking method based on electric power security gateway |
-
2020
- 2020-12-15 CN CN202011481880.0A patent/CN112241527B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111200502A (en) * | 2020-01-03 | 2020-05-26 | 信安神州科技(广州)有限公司 | Collaborative digital signature method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112241527A (en) | 2021-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10708062B2 (en) | In-vehicle information communication system and authentication method | |
| CN107743133B (en) | Mobile terminal and access control method and system based on trusted security environment | |
| CN111756533B (en) | System, method and storage medium for secure password generation | |
| CN112241527B (en) | Secret key generation method and system of terminal equipment of Internet of things and electronic equipment | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| CN109150897B (en) | End-to-end communication encryption method and device | |
| CN109981562B (en) | Software development kit authorization method and device | |
| CN108111497B (en) | Mutual authentication method and device for camera and server | |
| US9531540B2 (en) | Secure token-based signature schemes using look-up tables | |
| US9185111B2 (en) | Cryptographic authentication techniques for mobile devices | |
| CN108768963B (en) | Communication method and system of trusted application and secure element | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| CN107920052B (en) | Encryption method and intelligent device | |
| CN111030814A (en) | Key negotiation method and device | |
| CN111401901B (en) | Authentication method and device of biological payment device, computer device and storage medium | |
| CN115859267A (en) | Method for safely starting application program, storage control chip and electronic equipment | |
| CN112019326A (en) | Vehicle charging safety management method and system | |
| CN110990814A (en) | Trusted digital identity authentication method, system, equipment and medium | |
| CN112769789B (en) | Encryption communication method and system | |
| CN111245594B (en) | Homomorphic operation-based collaborative signature method and system | |
| CN111934862B (en) | Server access method and device, readable medium and electronic equipment | |
| CN105873043B (en) | Method and system for generating and applying network private key for mobile terminal | |
| CN111740995A (en) | Authorization authentication method and related device | |
| CN107343276B (en) | Method and system for protecting SIM card locking data of terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |