CN113239410B - Terminal certificate updating method, terminal and computer readable storage medium - Google Patents
Terminal certificate updating method, terminal and computer readable storage medium Download PDFInfo
- Publication number
- CN113239410B CN113239410B CN202110781879.8A CN202110781879A CN113239410B CN 113239410 B CN113239410 B CN 113239410B CN 202110781879 A CN202110781879 A CN 202110781879A CN 113239410 B CN113239410 B CN 113239410B
- Authority
- CN
- China
- Prior art keywords
- updated
- terminal certificate
- key
- terminal
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a terminal certificate updating method, a terminal and a computer readable storage medium, wherein the method comprises the following steps: generating a key pair, and sending a public key in the key pair to the master station so that the master station generates an update terminal certificate command according to the public key in the key pair and the terminal certificate to be updated; after receiving a terminal certificate updating command sent by a master station, performing matching authentication on a terminal certificate to be updated by using a private key in a key pair, and after the authentication is passed, updating the certificate according to the terminal certificate to be updated and updating the private key according to the private key in the key pair; and sending the serial number of the terminal certificate to be updated and the public key in the key pair to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair. Therefore, the matching of the terminal certificate and the terminal private key can be ensured, and the correctness of certificate updating is further ensured.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method for updating a terminal certificate, a terminal, and a computer-readable storage medium.
Background
In the construction of a power utilization information acquisition system, a national power grid company needs to deploy a large number of terminals so as to realize the acquisition, exchange and analysis of data information, and thus, corresponding safety means need to be added to fully ensure the information safety between the terminals. Information security has two implications: firstly, the safety of data is mainly that a cryptographic algorithm is adopted to carry out active protection on the data, such as data confidentiality, data integrity, bidirectional identity authentication and the like, and secondly, the safety of data protection is mainly that an information storage means is adopted to carry out active protection on the data, such as means of disk array, data backup, remote disaster recovery and the like, to ensure the safety of the data. Data security is an active protection measure, and the security of data itself must be based on a reliable encryption algorithm and a security system.
For the safety of data, a national power grid adopts a mode of combining a symmetric encryption technology and an asymmetric encryption technology, and simultaneously proposes a mode of adopting a certificate to carry out information exchange, but the current certificate updating method is too simple, so that the certificate updating error is easy to occur, and further, the follow-up service cannot be carried out.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art. Therefore, a first object of the present invention is to provide a method for updating a terminal certificate, which can effectively ensure correctness of certificate updating.
A second object of the present invention is to provide a terminal.
A third object of the invention is to propose another terminal.
A fourth object of the invention is to propose a computer-readable storage medium.
In order to achieve the above object, an embodiment of a first aspect of the present invention provides a method for updating a terminal certificate, which is applied to a terminal, and the method includes: generating a key pair, and sending a public key in the key pair to the master station so that the master station generates an update terminal certificate command according to the public key in the key pair and the terminal certificate to be updated; after receiving a terminal certificate updating command sent by a master station, performing matching authentication on a terminal certificate to be updated by using a private key in a key pair, and after the authentication is passed, updating the certificate according to the terminal certificate to be updated and updating the private key according to the private key in the key pair; and sending the serial number of the terminal certificate to be updated and the public key in the key pair to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair.
According to the terminal certificate updating method provided by the embodiment of the invention, a terminal generates a key pair and sends a public key in the key pair to a master station, so that the master station generates a terminal certificate updating command according to the public key in the key pair and a terminal certificate to be updated, after the terminal certificate updating command sent by the master station is received, the private key in the key pair is used for performing matching authentication on the terminal certificate to be updated, after the authentication is passed, the certificate is updated according to the terminal certificate to be updated, the private key is updated according to the private key in the key pair, and the serial number of the terminal certificate to be updated and the public key in the key pair are sent to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair. The private key in the generated key pair is subjected to matching authentication with the terminal certificate to be updated, and the private key and the certificate are updated only after the authentication is passed, so that the correctness of updating the certificate can be ensured.
According to an embodiment of the invention, after generating the key pair, the method further comprises: the key pair is stored in a temporary storage area.
According to one embodiment of the present invention, a terminal certificate to be updated includes a public key in a key pair, and performing matching authentication on the terminal certificate to be updated by using a private key in the key pair includes: acquiring an authentication public key in a terminal certificate to be updated; carrying out matching authentication on a public key in a terminal certificate to be updated and a private key in a key pair; and if the terminal certificate is matched with the terminal certificate to be updated, determining that the private key in the key pair is matched with the terminal certificate to be updated.
According to an embodiment of the present invention, performing matching authentication on a public key in a terminal certificate to be updated and a private key in a key pair includes: encrypting preset data by using a public key in a terminal certificate to be updated to obtain encrypted data; decrypting the encrypted data by using a private key in the key pair to obtain decrypted data; and if the decrypted data is the same as the preset data, determining that the public key in the terminal certificate to be updated is matched with the private key in the key pair.
According to an embodiment of the present invention, performing matching authentication on a public key in a terminal certificate to be updated and a private key in a key pair includes: signing preset data by using a public key in a terminal certificate to be updated to obtain a first signature; verifying the first signature by using a private key in the key pair; and if the signature verification is passed, determining that the public key in the terminal certificate to be updated is matched with the private key in the key pair.
According to an embodiment of the present invention, the command for updating the terminal certificate further includes a message authentication code, and the terminal certificate to be updated is an encrypted terminal certificate to be updated, and the method further includes: and verifying the message authentication code, and after the verification is passed, decrypting the encrypted terminal certificate to be updated to obtain the terminal certificate to be updated.
According to one embodiment of the invention, the key pair and the encrypted terminal certificate to be updated are obtained by encryption through a national cryptographic algorithm.
In order to achieve the above object, a second embodiment of the present invention provides a terminal, including: the key management module is used for generating a key pair; the master processing module is used for sending the public key in the key pair to the master station and receiving a terminal certificate updating command sent by the master station, wherein the master station generates a terminal certificate updating command according to the public key in the key pair and the terminal certificate to be updated; the safety module is used for performing matching authentication on the terminal certificate to be updated by using a private key in a key pair after the main processing module receives a command for updating the terminal certificate sent by the master station, updating the certificate according to the terminal certificate to be updated after the authentication is passed, and updating the private key according to the private key in the key pair; the main processing module is further configured to send the serial number of the terminal certificate to be updated and the public key in the key pair to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair.
According to the terminal provided by the embodiment of the invention, a key pair is generated through a key management module, a public key in the key pair is sent to a master station through a master processing module, a terminal certificate updating command sent by the master station is received, after the terminal certificate updating command sent by the master station is received through a security module, the terminal certificate to be updated is subjected to matching authentication by using a private key in the key pair, after the authentication is passed, the certificate is updated according to the terminal certificate to be updated, the private key is updated according to the private key in the key pair, and the serial number of the terminal certificate to be updated and the public key in the key pair are sent to the master station through the master processing module, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated, and updates the terminal public key according to the public key in the key pair. The private key in the generated key pair is subjected to matching authentication with the terminal certificate to be updated, and the private key and the certificate are updated only after the authentication is passed, so that the correctness of updating the certificate can be ensured.
In order to achieve the above object, a third embodiment of the present invention provides a terminal, which includes a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the foregoing terminal certificate updating method when executing the computer program.
According to the terminal of the embodiment of the invention, by the terminal certificate updating method, the private key in the generated key pair is subjected to matching authentication with the terminal certificate to be updated, and the private key and the certificate are updated after the authentication is passed, so that the correctness of certificate updating can be ensured.
To achieve the above object, a fourth aspect of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the steps of the foregoing terminal certificate updating method.
According to the computer-readable storage medium of the embodiment of the invention, by the terminal certificate updating method, the private key in the generated key pair is subjected to matching authentication with the terminal certificate to be updated, and the private key and the certificate are updated only after the authentication is passed, so that the correctness of certificate updating can be ensured.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a flowchart of a terminal certificate updating method according to an embodiment of the present invention;
FIG. 2 is a flow diagram of executing a key pair generation command according to one embodiment of the invention;
FIG. 3 is a flow diagram of a process for executing an update terminal certificate command in accordance with one embodiment of the present invention;
fig. 4 is a block diagram of a terminal according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
A terminal certificate updating method, a terminal, and a computer-readable storage medium according to embodiments of the present invention are described below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a terminal certificate updating method according to an embodiment of the present invention. Referring to fig. 1, the terminal certificate updating method may include the steps of:
and step S101, generating a key pair, and sending a public key in the key pair to the master station, so that the master station generates an update terminal certificate command according to the public key in the key pair and the terminal certificate to be updated.
Specifically, when the terminal certificate needs to be updated, the master station may send a certificate update command to the terminal, the terminal generates a key pair after receiving the certificate update command, and sends a public key in the key pair to the master station, and the master station generates an update terminal certificate command according to the public key and the terminal certificate to be updated after receiving the public key in the key pair, so as to update the subsequent terminal certificate. Certainly, the terminal may also actively update the terminal certificate, at this time, the terminal directly generates the key pair and sends a certificate update command carrying the public key in the key pair to the master station, and the master station generates an update terminal certificate command according to the public key in the key pair and the terminal certificate to be updated after receiving the command, so as to update the subsequent terminal certificate.
As a specific example, a terminal may include a main processing module, a key management module, and a security module. The main processing module may be configured to receive a certificate update command sent by the master station, analyze the certificate update command to obtain a command code, and send a key pair generation command to the key management module when the command code is a code for updating a terminal certificate, where the key pair generation command may adopt a command format shown in table 1:
TABLE 1
| Code | Value of |
| CLA | 80 |
| INS | 2C |
| P1 | 00 |
| P2 | Whether the private key needs to be saved: 0: is not limited toThe private key 1 needs to be saved: saving private keys to temporary storage |
| Lc | 0000 |
| Data | Is free of |
In table 1, CLA is a command type, and its value may be 80, which indicates that the packet is a command packet; the INS is a command code in the command category, and the value of the INS may be 2C, indicating that the message is used for key pair generation; p1 and P2 are parameters, and corresponding additional description can be added by setting P1 and P2, for example, in this example, the storage manner of the private key in the key pair can be set according to P2, such as when P2 is 0, it indicates that the private key in the generated key pair does not need to be stored, and at this time, the private key is mainly used for protecting subsequent related service data and is not stored after power failure, and when P2 is 1, it indicates that the private key in the generated key pair needs to be stored in the temporary storage area for use in subsequent terminal certificate update; lc represents the length of the subsequent Data, where the Data length is 0; data represents Data, here no Data.
After receiving the command for generating the key pair, the key management module parses the command, for example, parses the command shown in table 1, to obtain information such as a command code and a storage mode of the private key, and when the command code is the command code for generating the key pair, generates a key pair, and stores the private key according to the storage mode of the private key, and the specific process is shown in fig. 2, and may include the following steps:
in step S201, the key management module receives a key pair generation command, such as a command: 802C 00010000.
Step S202, generating a key pair, and storing a public key in the key pair in the FLASH/EEPROM.
Optionally, in some embodiments, the key pair is obtained by encrypting using a cryptographic algorithm. For example, the SM2 key pair may be generated using the SM2 cryptographic algorithm, which includes a 64-byte public key and a 32-byte private key, such as the public key: 438B953F720F7E3301408C84C2C6921CD5A4E17FBD93E5DC8C6FA03EA0604721CED2A071155A7ACC34F1BE1C009548F436749ED69296922997FCC526F007ABDC, thereby improving the application cracking difficulty and saving the application execution time.
Step S203, determining whether the private key in the key pair needs to be saved according to the parameter in the key pair generation command, if so, executing step S204, otherwise, executing step S205.
And step S204, storing the private key in the FLASH/EEPROM for use in the subsequent updating of the terminal certificate.
Step S205, storing the private key in the RAM for protecting the subsequent related service data.
That is, if the private key needs to be saved, it indicates that the generation of the key pair is for updating the terminal certificate, at this time, the private key is temporarily saved in the FLASH/EEPROM for updating the terminal certificate later, and if the private key does not need to be saved, it indicates that the generation of the key pair is for protecting the relevant service data later, and the private key is not saved when the power is off.
Step S206, the public key is sent to the main processing module, that is, the response message in table 1 is the public key in the key pair.
In step S207, the key pair generation ends.
After the key pair is generated, the terminal further sends the public key in the key pair to the master station, for example, the public key in the key pair is sent to the master station through the master processing module. After receiving the public key sent by the terminal, the master station generates a terminal certificate updating command according to the public key and the terminal certificate to be updated, and sends the terminal certificate updating command to the terminal so as to update the subsequent terminal certificate, wherein the terminal certificate updating command can adopt a command format shown in table 2:
TABLE 2
| Code | Value of |
| CLA | 84 |
| INS | 30 |
| P1 | 00 |
| P2 | XX |
| Lc | XXXX |
| Data | Data to be processed |
In table 2, CLA is a command type, and its value may be 84, which indicates that the packet is a command packet; the INS is a command code in the command category, whose value may be 30, indicating that the message is used to update the terminal certificate; p1 and P2 are parameters, and the updating type of the terminal certificate can be expanded into various data types according to the difference of P1 or P2, such as root certificate, CRL certificate, terminal signature certificate private key, terminal encryption certificate private key and the like; lc represents the length of the subsequent Data; data represents the Data that needs to be processed and may consist of the terminal certificate to be updated (containing the public key of the key pair).
And step S102, after receiving the command of updating the terminal certificate sent by the master station, performing matching authentication on the terminal certificate to be updated by using the private key in the key pair, and after the authentication is passed, updating the certificate according to the terminal certificate to be updated, and updating the private key according to the private key in the key pair.
Specifically, after receiving a command for updating a terminal certificate sent by a master station, a terminal analyzes the command, for example, analyzes the command shown in table 2 to obtain a command code and information such as data of the terminal certificate to be updated, and when the command code is the code for updating the terminal certificate, performs matching authentication on the terminal certificate to be updated by using a private key in a key pair to determine whether the terminal certificate to be updated sent by the master station is matched with the private key of the terminal, and if so, performs certificate updating according to the terminal certificate to be updated and performs private key updating according to the private key in the key pair; if not, then no certificate and private key updates are made.
As a specific example, a main processing module in the terminal may receive a command for updating a terminal certificate sent by a master station, send the command to the security module, the security module analyzes the command to obtain a command code and information such as data of the terminal certificate to be updated, perform matching authentication on the terminal certificate to be updated by using a private key in a key pair when the command code is the code for updating the terminal certificate, send the terminal certificate to be updated to the key management module after the authentication is passed, perform certificate update by using the key management module according to the terminal certificate to be updated, and perform private key update according to the private key in the key pair.
According to one embodiment of the present invention, a terminal certificate to be updated includes a public key in a key pair, and performing matching authentication on the terminal certificate to be updated by using a private key in the key pair includes: acquiring an authentication public key in a terminal certificate to be updated; carrying out matching authentication on a public key in a terminal certificate to be updated and a private key in a key pair; and if the terminal certificate is matched with the terminal certificate to be updated, determining that the private key in the key pair is matched with the terminal certificate to be updated.
Specifically, when generating the command to update the terminal certificate, the master station may add the received public key in the key pair sent by the terminal to the terminal certificate to be updated, so as to perform matching authentication on the terminal certificate to be updated by using the public key in the following. After receiving a terminal certificate updating command sent by a master station, a terminal analyzes the command to obtain a terminal certificate to be updated, extracts a public key from the certificate, performs matching authentication on the public key and a private key in a key pair, if the public key and the private key in the key pair are matched, the private key in the key pair is matched with the terminal certificate to be updated, the terminal can update the certificate according to the terminal certificate to be updated and update the private key according to the private key in the key pair, otherwise, the terminal indicates that the private key in the key pair is not matched with the terminal certificate to be updated, and the terminal does not update the certificate and the private key.
Further, as an example, performing matching authentication on a public key in a terminal certificate to be updated and a private key in a key pair includes: encrypting preset data by using a public key in a terminal certificate to be updated to obtain encrypted data; decrypting the encrypted data by using a private key in the key pair to obtain decrypted data; and if the decrypted data is the same as the preset data, determining that the public key in the terminal certificate to be updated is matched with the private key in the key pair. It should be noted that, in order to ensure the reliability of the verification, the preset data is a random number generated by the terminal.
Specifically, after obtaining the public key in the terminal certificate to be updated and the private key in the key pair, the terminal may first generate a random number of 16 bytes, such as random number R: 7390044BEA5B25C1B87E588D95B0E36D, then encrypting the random number R by using a public key in the terminal certificate to be updated to obtain encrypted data Rpk (R), decrypting the encrypted data Rpk (R) by using a private key in a key pair to obtain decrypted data R ', if R = R', the public key in the terminal certificate to be updated is matched with the private key in the key pair, namely the private key in the key pair is matched with the terminal certificate to be updated, namely the terminal certificate to be updated is legal, at the moment, the certificate can be updated according to the terminal certificate to be updated, and the private key is updated according to the private key in the key pair; if R is not equal to R', the terminal certificate to be updated is not legal, and the terminal does not update the certificate and the private key at the moment.
As another example, performing matching authentication on a public key in a terminal certificate to be updated and a private key in a key pair includes: signing preset data by using a public key in a terminal certificate to be updated to obtain a first signature; verifying the first signature by using a private key in the key pair; and if the signature verification is passed, determining that the public key in the terminal certificate to be updated is matched with the private key in the key pair. It should be noted that, in order to ensure the reliability of the verification, the preset data is a random number generated by the terminal.
Specifically, after obtaining the public key in the terminal certificate to be updated and the private key in the key pair, the terminal may first generate a random number of 16 bytes, such as random number R: 7390044BEA5B25C1B87E588D95B0E36D, then the public key in the terminal certificate to be updated is used for signing the random number R to obtain a first signature Z (R), and the private key in the key pair is used for checking the first signature Z (R), if the signature is passed, the public key in the terminal certificate to be updated is matched with the private key in the key pair, namely the private key in the key pair is matched with the terminal certificate to be updated, namely the terminal certificate to be updated is legal, at the moment, the certificate can be updated according to the terminal certificate to be updated, and the private key is updated according to the private key in the key pair; if the verification is not passed, the certificate of the terminal to be updated is not legal, and the terminal does not update the certificate and the private key at the moment.
It should be noted that, in practical application, it may also be determined whether the public key in the terminal certificate to be updated matches the private key in the key pair by using other manners, which is not limited herein.
Step S103, the serial number of the terminal certificate to be updated and the public key in the key pair are sent to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair.
Specifically, after the terminal updates the certificate according to the terminal certificate to be updated and updates the private key according to the private key in the key pair, the serial number in the terminal certificate to be updated and the public key in the key pair are also sent to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair.
In the above embodiment, after the terminal key pair is generated, the public key in the key pair is sent to the master station, so that the master station generates the terminal certificate updating command according to the public key, and stores the terminal certificate updating command in the temporary storage area instead of directly updating the private key.
According to an embodiment of the present invention, the command for updating the terminal certificate further includes a message authentication code, and the terminal certificate to be updated is an encrypted terminal certificate to be updated, and the method for updating the terminal certificate may further include: and verifying the message authentication code, and after the verification is passed, decrypting the encrypted terminal certificate to be updated to obtain the terminal certificate to be updated.
Specifically, after receiving the public key sent by the terminal, the master station generates a terminal certificate update command according to the public key and the terminal certificate to be updated, and sends the terminal certificate update command to the terminal, so as to update the subsequent terminal certificate, where the terminal certificate update command may adopt a command format shown in table 3:
TABLE 3
| Code | Value of |
| CLA | 84 |
| |
30 |
| P1 | 00 |
| P2 | XX |
| Lc | XXXX |
| Data | Data to be processed: encrypted terminal certificate + MAC to be updated |
In table 3, CLA is a command type, and its value may be 84, which indicates that the packet is a command packet; the INS is a command code in the command category, whose value may be 30, indicating that the message is used to update the terminal certificate; p1 and P2 are parameters, and the updating type of the terminal certificate can be expanded into various data types according to the difference of P1 or P2, such as root certificate, CRL certificate, terminal signature certificate private key, terminal encryption certificate private key and the like; lc represents the length of the subsequent Data, which can be an integral multiple of 16 +4 bytes of message authentication code MAC; the Data represents the Data to be processed, and can be composed of an encrypted terminal certificate to be updated containing a public key in a key pair and a message authentication code MAC.
Optionally, in some embodiments, the encrypted terminal certificate to be updated is obtained by encryption using a cryptographic algorithm. For example, the SM2 cryptographic algorithm is used to encrypt the terminal certificate to be updated.
After receiving a command for updating a terminal certificate sent by a master station, a terminal analyzes the command, for example, analyzes the command shown in table 3 to obtain a command code, a message authentication code MAC, an encrypted terminal certificate to be updated and the like, and verifies the message authentication code MAC, for example, a message authentication code MAC' is calculated by using a pre-negotiated decryption key and an initial vector and is compared with the message authentication code MAC in the command to judge whether the messages are consistent, if so, the message authentication code MAC passes the verification, then the encrypted terminal certificate to be updated is decrypted by using the pre-negotiated decryption key to obtain the terminal certificate to be updated, a public key in the terminal certificate to be updated is extracted, and then the terminal certificate is updated by using the public key according to the mode; if the terminal certificate is inconsistent with the private key, the terminal certificate to be updated is not legal, and the terminal does not update the terminal certificate and the private key at the moment, and the specific process is shown in fig. 3 and may include the following steps:
step S301, the security module receives a command for updating the terminal certificate.
Specifically, after receiving the command to update the terminal certificate, the main processing module in the terminal, such as the command: 8430011205E4 DEA4C3FAA6 … … 375D69489B45A9976FA 8887AB43 (with the certificate cipher text omitted in the middle) can be sent to the security module for corresponding processing by the security module.
Step S302, whether the message authentication code MAC passes the authentication or not is judged.
Specifically, the security module calculates a message authentication code using a pre-negotiated decryption key and an initial vector to obtain a message authentication code MAC ', and compares the message authentication code MAC' with a message authentication code MAC in the command: 8887AB43, if they are the same, the message authentication code MAC passes the authentication, at this time, step S303 is executed, otherwise, the authentication does not pass, at this time, step S304 is executed.
Step S303, the terminal certificate to be updated is obtained through decryption, and a public key is extracted.
Specifically, the security module uses a pre-negotiated decryption key to encrypt the data of the terminal certificate to be updated: DEA4C3FAA6 … … 375D69489B45A9976FA decrypts to obtain the terminal certificate to be updated, and extracts the public key.
In step S304, the terminal certificate update operation is not performed.
Specifically, the key management module does not update the certificate and the private key.
Step S305, whether the public key is matched with the private key in the key pair is authenticated.
Specifically, the security module verifies whether the public key extracted from the terminal certificate to be updated matches the private key in the key pair (for a specific example, refer to the foregoing description), if so, it indicates that the terminal certificate to be updated is legal, at this time, step S306 is executed, otherwise, it indicates that the terminal certificate to be updated is illegal, at this time, step S304 is returned.
And step S306, storing the private key into the FLASH/EEPROM, and updating the terminal certificate.
It should be noted that the storage of the private key at this time is an update of the private key, and specifically, the private key in the temporary storage area may be stored in the private key storage area by the key management module, and the terminal certificate may be updated at the same time.
In step S307, the terminal certificate update ends.
In the above embodiment, when the terminal certificate is updated, the security and integrity of the data are ensured by combining the ciphertext and the message authentication code.
In summary, according to the terminal certificate updating method provided by the embodiment of the invention, the matching between the key pair and the terminal certificate can be ensured, the correctness of certificate updating is ensured, and the security and integrity of data transmission are ensured.
Fig. 4 is a block diagram of a terminal according to an embodiment of the present invention, and referring to fig. 4, the terminal may include: a key management module 10, a main processing module 20 and a security module 30.
The key management module 10 is configured to generate a key pair; the main processing module 20 is configured to send a public key in the key pair to the master station, and receive a terminal certificate update command sent by the master station, where the master station generates the terminal certificate update command according to the public key in the key pair and the terminal certificate to be updated; the security module 30 is configured to perform matching authentication on the terminal certificate to be updated by using a private key in the key pair after the main processing module receives the terminal certificate updating command sent by the master station, perform certificate updating according to the terminal certificate to be updated after the authentication is passed, and perform private key updating according to the private key in the key pair; the main processing module 20 is further configured to send the serial number of the terminal certificate to be updated and the public key in the key pair to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair.
In one embodiment, the terminal further comprises a temporary storage area (not specifically shown in the figure) for temporarily storing the key pair.
In one embodiment, the terminal certificate to be updated includes a public key in a key pair, and the security module 30 is specifically configured to: and acquiring a public key in the terminal certificate to be updated, performing matching authentication on the public key in the terminal certificate to be updated and a private key in a key pair, and if the public key in the terminal certificate to be updated and the private key in the key pair are matched, determining that the private key in the key pair is matched with the terminal certificate to be updated.
In one embodiment, the security module 30 is specifically configured to: and encrypting the preset data by using the public key in the terminal certificate to be updated to obtain encrypted data, decrypting the encrypted data by using the private key in the key pair to obtain decrypted data, and if the decrypted data is the same as the preset data, determining that the public key in the terminal certificate to be updated is matched with the private key in the key pair.
In one embodiment, the security module 30 is specifically configured to: and signing the preset data by using the public key in the terminal certificate to be updated to obtain a first signature, verifying the signature of the first signature by using the private key in the key pair, and if the signature passes the verification, determining that the public key in the terminal certificate to be updated is matched with the private key in the key pair.
In one embodiment, the command to update the terminal certificate further includes a message authentication code, and the terminal certificate to be updated is an encrypted terminal certificate to be updated, the security module 30 is further configured to: and verifying the message authentication code, and after the verification is passed, decrypting the encrypted terminal certificate to be updated to obtain the terminal certificate to be updated.
In one embodiment, the key pair and the encrypted terminal certificate to be updated are obtained by encryption through a national cryptographic algorithm.
It should be noted that, for the description of the terminal in the present application, please refer to the description of the terminal certificate updating method in the present application, and details are not repeated here.
According to the terminal provided by the embodiment of the invention, the matching of the key pair and the terminal certificate can be ensured, the updating correctness of the certificate is ensured, and the safety and the integrity of data transmission are ensured.
In some embodiments, there is further provided a terminal comprising a memory and a processor, the memory storing a computer program, the processor implementing the steps of the aforementioned terminal certificate updating method when executing the computer program.
According to the terminal of the embodiment of the invention, by the terminal certificate updating method, the matching of the key pair and the terminal certificate can be ensured, the correctness of certificate updating is ensured, and the safety and the integrity of data transmission are ensured.
In some embodiments, there is also provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the aforementioned terminal certificate updating method.
According to the computer-readable storage medium of the embodiment of the invention, by the terminal certificate updating method, the matching of the key pair and the terminal certificate can be ensured, the correctness of certificate updating is ensured, and the safety and the integrity of data transmission are ensured.
It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, such as an ordered listing of executable commands that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with a command execution system, apparatus, or device (e.g., a computer-based system, processor-containing system, or other system that can fetch the commands from the command execution system, apparatus, or device and execute the commands). For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the command execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable command execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the present invention, unless otherwise expressly stated or limited, the terms "mounted," "connected," "secured," and the like are to be construed broadly and can, for example, be fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; they may be directly connected or indirectly connected through intervening media, or they may be connected internally or in any other suitable relationship, unless expressly stated otherwise. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (9)
1. A terminal certificate updating method is applied to a terminal in a power utilization information acquisition system, the terminal is communicated with a master station in the power utilization information acquisition system, and the terminal is used for acquiring power utilization information, and the method comprises the following steps:
generating a key pair, and sending a public key in the key pair to a master station so that the master station generates an update terminal certificate command according to the public key in the key pair and a terminal certificate to be updated, wherein the terminal certificate to be updated comprises the public key in the key pair;
after receiving a terminal certificate updating command sent by the master station, performing matching authentication on the terminal certificate to be updated by using a private key in the key pair, and after the authentication is passed, updating the certificate according to the terminal certificate to be updated and updating the private key according to the private key in the key pair; the performing matching authentication on the terminal certificate to be updated by using the private key in the key pair includes: acquiring a public key in the terminal certificate to be updated; performing matching authentication on a public key in the terminal certificate to be updated and a private key in the key pair; if the terminal certificate is matched with the terminal certificate to be updated, determining that a private key in the key pair is matched with the terminal certificate to be updated;
and sending the serial number of the terminal certificate to be updated and the public key in the key pair to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair.
2. The terminal certificate updating method according to claim 1, wherein after generating the key pair, the method further comprises:
storing the key pair in a temporary storage area.
3. The method according to claim 1, wherein the performing matching authentication on the public key in the terminal certificate to be updated and the private key in the key pair comprises:
encrypting preset data by using a public key in the terminal certificate to be updated to obtain encrypted data;
decrypting the encrypted data by using a private key in the key pair to obtain decrypted data;
and if the decryption data is the same as the preset data, determining that the public key in the terminal certificate to be updated is matched with the private key in the key pair.
4. The method according to claim 1, wherein the performing matching authentication on the public key in the terminal certificate to be updated and the private key in the key pair comprises:
signing preset data by using a public key in the terminal certificate to be updated to obtain a first signature;
verifying the first signature by using a private key in the key pair;
and if the signature verification is passed, determining that the public key in the terminal certificate to be updated is matched with the private key in the key pair.
5. The method according to any one of claims 1 to 4, wherein the command for updating the terminal certificate further includes a message authentication code, and the terminal certificate to be updated is an encrypted terminal certificate to be updated, and the method further includes:
and verifying the message authentication code, and after the verification is passed, decrypting the encrypted terminal certificate to be updated to obtain the terminal certificate to be updated.
6. The method according to claim 5, wherein the key pair and the encrypted terminal certificate to be updated are obtained by encryption using a cryptographic algorithm.
7. The utility model provides a terminal, its characterized in that is applied to in the power consumption information acquisition system, the terminal with master station in the power consumption information acquisition system communicates, the terminal is used for carrying out power consumption information acquisition, the terminal includes:
the key management module is used for generating a key pair;
the master processing module is used for sending the public key in the key pair to a master station and receiving a terminal certificate updating command sent by the master station, wherein the master station generates the terminal certificate updating command according to the public key in the key pair and a terminal certificate to be updated, and the terminal certificate to be updated comprises the public key in the key pair;
the security module is used for performing matching authentication on the terminal certificate to be updated by using a private key in the key pair after the main processing module receives a command of updating the terminal certificate sent by the main station, updating the certificate according to the terminal certificate to be updated after the authentication is passed, and updating the private key according to the private key in the key pair; wherein the security module is specifically configured to: acquiring a public key in the terminal certificate to be updated; performing matching authentication on a public key in the terminal certificate to be updated and a private key in the key pair; if the terminal certificate is matched with the terminal certificate to be updated, determining that a private key in the key pair is matched with the terminal certificate to be updated;
and the main processing module is further configured to send the serial number of the terminal certificate to be updated and the public key in the key pair to the master station, so that the master station updates the terminal certificate according to the serial number of the terminal certificate to be updated and updates the terminal public key according to the public key in the key pair.
8. A terminal comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the terminal certificate updating method of any one of claims 1 to 6.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the terminal certificate updating method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110781879.8A CN113239410B (en) | 2021-07-12 | 2021-07-12 | Terminal certificate updating method, terminal and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110781879.8A CN113239410B (en) | 2021-07-12 | 2021-07-12 | Terminal certificate updating method, terminal and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113239410A CN113239410A (en) | 2021-08-10 |
| CN113239410B true CN113239410B (en) | 2021-12-03 |
Family
ID=77135383
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110781879.8A Active CN113239410B (en) | 2021-07-12 | 2021-07-12 | Terminal certificate updating method, terminal and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113239410B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136743A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Digital certificate updating method and system |
| CN102571340A (en) * | 2010-12-23 | 2012-07-11 | 普天信息技术研究院有限公司 | Certificate authentication device as well as access method and certificate update method thereof |
| CN109257328A (en) * | 2017-07-14 | 2019-01-22 | 中国电力科学研究院 | A kind of safety interacting method and device of scene operation/maintenance data |
| CN109743176A (en) * | 2018-12-28 | 2019-05-10 | 百富计算机技术(深圳)有限公司 | A kind of certificate update method, server and the POS terminal of POS terminal |
| CN111107085A (en) * | 2019-12-18 | 2020-05-05 | 青岛联众智芯科技有限公司 | Safety communication method based on publish-subscribe mode |
| CN112511297A (en) * | 2020-11-30 | 2021-03-16 | 郑州信大捷安信息技术股份有限公司 | Method and system for updating key pair and digital certificate |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9842335B2 (en) * | 2012-03-23 | 2017-12-12 | The Toronto-Dominion Bank | System and method for authenticating a payment terminal |
-
2021
- 2021-07-12 CN CN202110781879.8A patent/CN113239410B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101136743A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Digital certificate updating method and system |
| CN102571340A (en) * | 2010-12-23 | 2012-07-11 | 普天信息技术研究院有限公司 | Certificate authentication device as well as access method and certificate update method thereof |
| CN109257328A (en) * | 2017-07-14 | 2019-01-22 | 中国电力科学研究院 | A kind of safety interacting method and device of scene operation/maintenance data |
| CN109743176A (en) * | 2018-12-28 | 2019-05-10 | 百富计算机技术(深圳)有限公司 | A kind of certificate update method, server and the POS terminal of POS terminal |
| CN111107085A (en) * | 2019-12-18 | 2020-05-05 | 青岛联众智芯科技有限公司 | Safety communication method based on publish-subscribe mode |
| CN112511297A (en) * | 2020-11-30 | 2021-03-16 | 郑州信大捷安信息技术股份有限公司 | Method and system for updating key pair and digital certificate |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113239410A (en) | 2021-08-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10708062B2 (en) | In-vehicle information communication system and authentication method | |
| US9311487B2 (en) | Tampering monitoring system, management device, protection control module, and detection module | |
| CN102549595B (en) | Information processor, controller, Key Issuance station, ineffective treatment listing effectiveness decision method and Key Issuance method | |
| CN106330856A (en) | Hearing device and method of hearing device communication | |
| CN103248491B (en) | A kind of backup method of electronic signature token private key and system | |
| CN106330857A (en) | Client device with certificate and related method | |
| CN102111265A (en) | Method for encrypting embedded secure access module (ESAM) of power system acquisition terminal | |
| CN101149775A (en) | Encryption and decryption method for realizing hardware and software binding | |
| CN114884659B (en) | Key agreement method, gateway, terminal device and storage medium | |
| CN114257376B (en) | Digital certificate updating method, device, computer equipment and storage medium | |
| CN104836784A (en) | Information processing method, client, and server | |
| CN112887282A (en) | Identity authentication method, device and system and electronic equipment | |
| CN111737770A (en) | Key management method and application | |
| CN112134694B (en) | Data interaction method, master station, terminal and computer readable storage medium | |
| CN115242397A (en) | OTA upgrade security verification method and readable storage medium for vehicle EUC | |
| CN111970122B (en) | Official APP identification method, mobile terminal and application server | |
| CN112019342B (en) | Data transmission method between electric energy meter and master station and electric energy meter | |
| CN109245882A (en) | A kind of SM2 endorsement method suitable for electric power wireless sensor network | |
| CN113239410B (en) | Terminal certificate updating method, terminal and computer readable storage medium | |
| CN112073198A (en) | Electricity consumption information acquisition system, internal authentication method of electricity meter and terminal | |
| CN108932425B (en) | Offline identity authentication method, authentication system and authentication equipment | |
| CN115225365A (en) | Data secure transmission method, platform and system based on cryptographic algorithm | |
| CN114553542A (en) | Data packet encryption method and device and electronic equipment | |
| CN114297673A (en) | Password verification method, solid state disk and upper computer | |
| CN107516044A (en) | A kind of recognition methods, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |