CN113905368A - Mobile terminal secure communication method, device, equipment and readable storage medium - Google Patents

Mobile terminal secure communication method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN113905368A
CN113905368A CN202111476311.1A CN202111476311A CN113905368A CN 113905368 A CN113905368 A CN 113905368A CN 202111476311 A CN202111476311 A CN 202111476311A CN 113905368 A CN113905368 A CN 113905368A
Authority
CN
China
Prior art keywords
mobile terminal
service
service platform
key
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111476311.1A
Other languages
Chinese (zh)
Inventor
曾闯
桂靖
董逢华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Tianyu Information Industry Co Ltd
Original Assignee
Wuhan Tianyu Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Tianyu Information Industry Co Ltd filed Critical Wuhan Tianyu Information Industry Co Ltd
Priority to CN202111476311.1A priority Critical patent/CN113905368A/en
Publication of CN113905368A publication Critical patent/CN113905368A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application relates to a mobile terminal secure communication method, a device, equipment and a readable storage medium, relating to the technical field of information security, wherein the mobile terminal is provided with a first security module, a service platform is provided with a second security module, the mobile terminal receives a token certificate sent by the service platform, and a first key pair is generated through the first security module; after key agreement is carried out between the service platform and the mobile terminal based on the first key pair, a second key pair is generated through a second security module, and the first public key is stored in the second security module; after key agreement is carried out between the mobile terminal and the service platform based on the first key pair and the second key pair, the second public key is stored in the first safety module; and the mobile terminal and the service platform encrypt and decrypt the service request information and the service response information through the token certificate, the first key pair and the second key pair. The method and the device can ensure data safety while ensuring data integrity of the mobile terminal and the service platform.

Description

Mobile terminal secure communication method, device, equipment and readable storage medium
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for secure communication of a mobile terminal.
Background
The mobile terminal is a media platform integrating multiple functions of voice communication, data communication, image processing and the like, and with the progress of mobile communication technology, the mobile terminal serving as a technical hardware carrier is continuously developed, the requirement on hardware performance is higher and higher, a software system is more and more complex, and the mobile terminal not only has an operating system, but also develops an application running platform, a large amount of application software and the like, and becomes an indispensable part in the life of people.
With the continuous update and progress of scientific technology, the mobile terminal is widely applied and developed, and meanwhile, due to the characteristics of the mobile terminal, such as openness and flexibility, the safety performance of the mobile terminal is seriously threatened. For example, user or service platform data is obtained through packet capturing, data interception and reverse engineering, so that certain potential safety hazards and loss are caused to the user data and the service platform.
Disclosure of Invention
The application provides a mobile terminal secure communication method, a device, equipment and a readable storage medium, which are used for solving the problem of poor data communication security between a mobile terminal and a service platform in the related art.
In a first aspect, a secure communication method for a mobile terminal is provided, where the method is applied to data communication between the mobile terminal and a service platform, the mobile terminal is provided with a first security module, and the service platform is provided with a second security module, and the method includes the following steps:
the mobile terminal receives a token certificate sent by a service platform, and generates a first key pair through a first security module, wherein the first key pair comprises a first private key and a first public key;
after key agreement is carried out between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, wherein the second key pair comprises a second private key and a second public key, and the first public key is stored in the second security module;
after key agreement is carried out between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module;
and the mobile terminal and the service platform perform encryption and decryption processing on the service request information and the service response information through the token certificate, the first key pair and the second key pair.
In some embodiments, after performing key agreement between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, including:
the mobile terminal signs the security request information based on the first private key to obtain first security signing information, wherein the security request information comprises the first public key; performing white-box encryption on the first secure signing information and the secure request information to obtain first secure encrypted information; sending the first security encryption information to the service platform;
the service platform performs white-box decryption on the first security encrypted information to obtain the first public key and the first security signing information; and verifying the first safety signing information based on the first public key, and if the verification is successful, generating a second secret key pair through the second safety module.
In some embodiments, the security request information further includes a mobile terminal identifier, and after the step of storing the first public key to the second security module, further includes:
and the service platform respectively creates mapping relations between the first public key and the mobile terminal identification and between the second private key and the mobile terminal identification.
In some embodiments, the encrypting and decrypting the service request information and the service response information between the mobile terminal and the service platform through the token credential, the first key pair and the second key pair includes:
the mobile terminal signs the service request information based on the first private key to obtain first service signing information; encrypting the first service signing information and the service request information based on the second public key to obtain first service encryption information; sending the first service encryption information, the token certificate and the mobile terminal identification to a service platform;
the service platform detects whether the token voucher is expired or not, and if not, the service platform decrypts the first service encryption information based on a second private key corresponding to the mobile terminal identification to obtain first service signing information and service request information; checking the first service signing information based on a first public key corresponding to the mobile terminal identification, and if the first service signing information is checked successfully, signing the service response information based on a second private key corresponding to the mobile terminal identification to obtain second service signing information; encrypting the second service signing information and the service response information based on a first public key corresponding to the mobile terminal identification to obtain second service encryption information; sending the second service encryption information to the mobile terminal;
the mobile terminal decrypts the second service encryption information based on the first public key to obtain service response information and second service signing information; and checking the second service signing information based on the second public key, and if the second service signing information passes the checking, performing service processing based on the service response information.
In some embodiments, after the step of the service platform detecting whether the token credential is expired, the method further includes:
and if the service platform detects that the token voucher is expired, the service platform returns the information containing the error codes to the mobile terminal.
In some embodiments, after performing key agreement between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module, which includes:
the service platform signs the security response information based on a second private key to obtain second security signing information, wherein the security response information comprises a second public key; encrypting the second safety signing information and the safety response information based on a first public key to obtain second safety encryption information; sending the second security encryption information to the mobile terminal;
the mobile terminal decrypts the second security encrypted information based on the first private key to obtain a second public key and second security signing information; and checking the second security signing information based on the second public key, and if the checking is successful, storing the second public key to the first security module.
In some embodiments, before the step of receiving, by the mobile terminal, the token credential sent by the service platform, the method further includes:
the mobile terminal sends the authentication data encrypted by the white box to a service platform;
the service platform obtains the authentication data after decryption based on the white box; performing authority authentication on the authentication data to obtain a token certificate; and sending the token certificate to the mobile terminal.
In a second aspect, a secure communication apparatus for a mobile terminal is provided, including: the mobile terminal is provided with a first safety module, and the service platform is provided with a second safety module;
the mobile terminal receives a token certificate sent by a service platform, and generates a first key pair through a first security module, wherein the first key pair comprises a first private key and a first public key;
after key agreement is carried out between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, wherein the second key pair comprises a second private key and a second public key, and the first public key is stored in the second security module;
after key agreement is carried out between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module;
and the mobile terminal and the service platform perform encryption and decryption processing on the service request information and the service response information through the token certificate, the first key pair and the second key pair.
In a third aspect, a secure communication device for a mobile terminal is provided, which includes: the mobile terminal comprises a memory and a processor, wherein at least one instruction is stored in the memory, and the at least one instruction is loaded and executed by the processor so as to realize the mobile terminal secure communication method.
In a fourth aspect, a computer-readable storage medium is provided, which stores a computer program that, when executed by a processor, implements the aforementioned secure communication method for a mobile terminal.
The beneficial effect that technical scheme that this application provided brought includes: the method and the system can ensure that different mobile terminals can carry out safety communication on the same service platform, and ensure the data safety while ensuring the data integrity of the mobile terminals and the service platform.
The application provides a mobile terminal secure communication method, a device, equipment and a readable storage medium, wherein the method is applied to data communication between a mobile terminal and a service platform, the mobile terminal is provided with a first security module, the service platform is provided with a second security module, the mobile terminal receives a token certificate sent by the service platform, and generates a first key pair through the first security module, and the first key pair comprises a first private key and a first public key; after key agreement is carried out between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, wherein the second key pair comprises a second private key and a second public key, and the first public key is stored in the second security module; after key agreement is carried out between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module; and the mobile terminal and the service platform perform encryption and decryption processing on the service request information and the service response information through the token certificate, the first key pair and the second key pair. According to the mobile terminal and the data security method, different mobile terminals can have different security communication keys to communicate with the service platform through the first security module and the second security module, and then different mobile terminals can conduct security communication on the same service platform, and data security is guaranteed while data integrity of the mobile terminals and the service platform is guaranteed.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a secure communication method of a mobile terminal according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a secure communication apparatus of a mobile terminal according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a mobile terminal secure communication device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides a mobile terminal secure communication method, a mobile terminal secure communication device, mobile terminal secure communication equipment and a readable storage medium, and solves the problem that data communication security between a mobile terminal and a service platform is poor in the related art.
Fig. 1 is a secure communication method of a mobile terminal, which is applied to data communication between the mobile terminal and a service platform, where the mobile terminal is provided with a first security module, and the service platform is provided with a second security module, where the first security module and the second security module may be security chips or security modules implemented by soft algorithms; the method comprises the following steps:
step S10: the mobile terminal receives a token certificate sent by a service platform, and generates a first key pair through a first security module, wherein the first key pair comprises a first private key and a first public key;
further, before step S10, the method further includes the following steps:
the mobile terminal sends the authentication data encrypted by the white box to a service platform;
the service platform obtains the authentication data after decryption based on the white box; performing authority authentication on the authentication data to obtain a token certificate; and sending the token certificate to the mobile terminal.
Exemplarily, in the embodiment of the application, before data interaction, the mobile terminal and the service platform need to perform identity authentication and obtain a token certificate of unique identification; specifically, the mobile terminal sends the authentication data (athData) to the service platform through white box encryption, where the authentication mode may be login account password authentication, x509 authentication, ID2 authentication, or a triple, and the specific setting may be determined according to actual requirements, which is not limited herein. The service platform performs white box decryption on the received authentication data which is encrypted by the white box to obtain the athData, then performs authority authentication on the athData, generates a login certificate token after the authentication is passed, and returns the token certificate to the mobile terminal, and the mobile terminal obtains the token certificate to prepare for public key exchange, wherein the token certificate has the validity period. Because the token is a string of character strings generated by the service platform and is used as a token requested by the mobile terminal, after the mobile terminal logs in for the first time, the service platform generates a token and returns the token to the mobile terminal, and then the mobile terminal only needs to take the token to request data from the service platform, and does not need to take the user name and the password again.
Therefore, after the mobile terminal receives the token credential returned by the service platform, the first security module may generate and store a first key pair of the mobile terminal, that is, a first public key (mPublicKey) and a first private key (msecrettkey), where an algorithm for generating the key pair by the first security module may be an RSA (public key cryptosystem) encryption algorithm, an SM2 (elliptic curve public key cryptosystem) encryption algorithm, or a conic curve encryption algorithm, and which algorithm is specifically used may be determined according to actual needs, which is not limited herein.
Step S20: after key agreement is carried out between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, wherein the second key pair comprises a second private key and a second public key, and the first public key is stored in the second security module;
further, after performing key agreement between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, which specifically includes the following steps:
the mobile terminal signs the security request information based on the first private key to obtain first security signing information, wherein the security request information comprises the first public key; performing white-box encryption on the first secure signing information and the secure request information to obtain first secure encrypted information; sending the first security encryption information to the service platform;
the service platform performs white-box decryption on the first security encrypted information to obtain the first public key and the first security signing information; and verifying the first safety signing information based on the first public key, and if the verification is successful, generating a second secret key pair through the second safety module.
Further, the security request information further includes a mobile terminal identifier, and after the step of storing the first public key in the second security module, the method further includes the following steps:
and the service platform respectively creates mapping relations between the first public key and the mobile terminal identification and between the second private key and the mobile terminal identification.
Exemplarily, in the embodiment of the present application, key agreement and signature verification processes need to be performed, that is, the mobile terminal signs the token credential and the related parameters by using the private key generated by the first security module, and sends the public key and the signature information generated by the first security module to the service platform through white-box encryption; the service platform obtains the public key generated by the first security module and the signature information of the mobile terminal through white box decryption, checks the signature information uploaded by the mobile terminal, generates a second key pair through the second security module after the signature is successfully checked, encrypts the public key generated by the second security module, uses the private key generated by the second security module to sign relevant parameters, encrypts the private key through the white box and sends the private key to the mobile terminal, and stores the private key generated by the service platform through the second security module and the public key generated by the mobile terminal through the first security module for secure communication.
Specifically, the mobile terminal assembles a security request message reqData (i.e., security request information including a time master, an mPublyKey and a mobile terminal unique identifier mac address), signs the reqData with an mSettKey through a first security module corresponding algorithm to generate mSegn (i.e., first security signing information), and performs white-box encryption on the reqData and the mSegn to obtain encReqData (i.e., first security encryption information) and sends the encReqData to the service platform.
The service platform receives encReqData, acquires reqData and mSign through white box decryption, and then verifies the mSign through the mPubic Key by the second security module, wherein the verification method is determined by an algorithm generated by an asymmetric key. After the service platform passes the verification and signing, a second key pair, namely a second public key (pPublicKey) and a second private key (pSecretKey), of the service platform is generated through the second security module, the mPublicKey and the pSecretKey are stored in the second security module, and the mPublcKey and the pSecretKey are respectively associated with the mac address.
Step S30: after key agreement is carried out between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module;
further, after performing key agreement between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module, which specifically includes the following steps:
the service platform signs the security response information based on a second private key to obtain second security signing information, wherein the security response information comprises a second public key; encrypting the second safety signing information and the safety response information based on a first public key to obtain second safety encryption information; sending the second security encryption information to the mobile terminal;
the mobile terminal decrypts the second security encrypted information based on the first private key to obtain a second public key and second security signing information; and checking the second security signing information based on the second public key, and if the checking is successful, storing the second public key to the first security module.
Exemplarily, in the embodiment of the present application, the mobile terminal obtains the public key generated by the service platform through the second security module through white box decryption, and checks the signature of the related parameter, and after the mobile terminal successfully checks the signature, the public key generated by the service platform through the second security module and the private key generated by the mobile terminal through the first security module are stored for secure communication.
Specifically, the service platform assembles a return message respData (i.e., security response information including information such as a ppublicikey and a timestamp), signs the respData with a psecrettkey to generate pSign (i.e., second security signing information), encrypts the respData and the pSign with the mpublicikey to obtain encespdata (i.e., second security encryption information), and sends the encespdata to the mobile terminal.
The mobile terminal receives encRespData and decrypts the encRespData through the mSecretKey cached in the first security module to obtain respData and pSign; and then the first safety module checks the pSign by using the pPublicKey, and after the check passes, the pPublicKey is stored in the first safety module. Therefore, in the embodiment of the application, the first security module checks and signs through the public key of the second security module, and the second security module checks and signs through the first security module.
Step S40: and the mobile terminal and the service platform perform encryption and decryption processing on the service request information and the service response information through the token certificate, the first key pair and the second key pair.
Further, the encrypting and decrypting process is performed between the mobile terminal and the service platform on the service request information and the service response information through the token certificate, the first key pair and the second key pair, and specifically includes the following steps:
the mobile terminal signs the service request information based on the first private key to obtain first service signing information; encrypting the first service signing information and the service request information based on the second public key to obtain first service encryption information; sending the first service encryption information, the token certificate and the mobile terminal identification to a service platform;
the service platform detects whether the token voucher is expired or not, and if not, the service platform decrypts the first service encryption information based on a second private key corresponding to the mobile terminal identification to obtain first service signing information and service request information; checking the first service signing information based on a first public key corresponding to the mobile terminal identification, and if the first service signing information is checked successfully, signing the service response information based on a second private key corresponding to the mobile terminal identification to obtain second service signing information; encrypting the second service signing information and the service response information based on a first public key corresponding to the mobile terminal identification to obtain second service encryption information; sending the second service encryption information to the mobile terminal;
the mobile terminal decrypts the second service encryption information based on the first public key to obtain service response information and second service signing information; and checking the second service signing information based on the second public key, and if the second service signing information passes the checking, performing service processing based on the service response information.
Further, after the step of detecting whether the token credential is expired by the service platform, the method further includes the following steps:
and if the service platform detects that the token voucher is expired, the service platform returns the information containing the error codes to the mobile terminal.
Exemplarily, in the embodiment of the present application, the mobile terminal encrypts data by using a public key generated by a second security module in the service platform, and the service platform decrypts the data by using a private key generated by the second security module and verifies the integrity of the data through a signature process; the service platform encrypts the data by using a public key generated by a first security module in the mobile terminal, and the mobile terminal decrypts the data by using a private key generated by the first security module and verifies the integrity of the data through a signature process.
Specifically, the mobile terminal initiates a service request assembly parameter to obtain a reqDataB (i.e., service request information), a mac address and a token certificate, signs the reqDataB by using an mSecretKey through a first security module to obtain an mSignB (i.e., first service signing information), encrypts the reqDataB and the mSignB by using a pPublicKey stored in the first security module to obtain an encReqDataB (i.e., first service encryption information), and transmits the encReqDataB, the mac address and the token certificate to the service platform.
The service platform judges whether the token voucher is expired or not, and if the token voucher is expired, an error code is returned to the mobile terminal; if the token voucher is not expired, the service platform decrypts the encReqDataB through the pSecretKey corresponding to the mac address stored in the second security module to obtain reqDataB and mSignB for service processing; the mTignB is checked through the second security module by using mPulicKey, after the mPulicKey passes the check, the service platform assembles return data to obtain respDataB (namely service response information) after the service is processed, and the second security module performs signature adding on the respDataB by using pSecretKey to obtain pSignB (namely second service signature adding information); and then using mPublyKey to encrypt respDataB and pSignB to obtain encRespDataB (namely second service encryption information), and returning the encRespDataB to the mobile terminal.
After the mobile terminal receives encRespDataB, the first safety module decrypts the encRespDataB by using mSecretKey to obtain respDataB and pSignB, the first safety module checks the pSignB by using pPublicKey, and after the check passes, the mobile terminal can process a corresponding result.
The mobile terminal in the embodiment of the application ensures the integrity of the data of the mobile terminal and the safety of the data returned by the service platform through the public and private key pair generated by the first safety module and the token certificate issued by the service platform; the service platform ensures the integrity of the service platform data and the safety of the data uploaded by the mobile terminal through the public and private key pair generated by the second safety module; namely, the mobile terminal and the service platform respectively rely on the corresponding first security module and the second security module to respectively store own private keys, so that the private keys cannot be transmitted out of the respective security modules, and are difficult to obtain by others, and further, man-in-the-middle attack can be effectively prevented by signing the private keys.
Therefore, according to the embodiment of the application, different mobile terminals can have different safety communication key pairs to communicate with the service platform through the first safety module and the second safety module, so that different mobile terminals can perform safety communication on the same service platform, and data safety is guaranteed while data integrity of the mobile terminals and the service platform is guaranteed.
Referring to fig. 2, an embodiment of the present application further provides a secure communication apparatus for a mobile terminal, including: the mobile terminal is provided with a first safety module, and the service platform is provided with a second safety module;
the mobile terminal receives a token certificate sent by a service platform, and generates a first key pair through a first security module, wherein the first key pair comprises a first private key and a first public key;
after key agreement is carried out between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, wherein the second key pair comprises a second private key and a second public key, and the first public key is stored in the second security module;
after key agreement is carried out between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module;
and the mobile terminal and the service platform perform encryption and decryption processing on the service request information and the service response information through the token certificate, the first key pair and the second key pair.
According to the embodiment of the application, different mobile terminals can have different safety communication keys to communicate with the service platform through the first safety module and the second safety module, so that different mobile terminals can perform safety communication on the same service platform, and data safety is guaranteed while data integrity of the mobile terminals and the service platform is guaranteed.
Further, in this embodiment of the present application, the service platform and the mobile terminal are specifically configured to:
the mobile terminal signs the security request information based on the first private key to obtain first security signing information, wherein the security request information comprises the first public key; performing white-box encryption on the first secure signing information and the secure request information to obtain first secure encrypted information; sending the first security encryption information to the service platform;
the service platform performs white-box decryption on the first security encrypted information to obtain the first public key and the first security signing information; and verifying the first safety signing information based on the first public key, and if the verification is successful, generating a second secret key pair through the second safety module.
Further, in this embodiment of the present application, the service platform is further configured to:
and the service platform respectively creates mapping relations between the first public key and the mobile terminal identification and between the second private key and the mobile terminal identification.
Furthermore, in this embodiment of the present application, the mobile terminal and the service platform are further specifically configured to:
the mobile terminal signs the service request information based on the first private key to obtain first service signing information; encrypting the first service signing information and the service request information based on the second public key to obtain first service encryption information; sending the first service encryption information, the token certificate and the mobile terminal identification to a service platform;
the service platform detects whether the token voucher is expired or not, and if not, the service platform decrypts the first service encryption information based on a second private key corresponding to the mobile terminal identification to obtain first service signing information and service request information; checking the first service signing information based on a first public key corresponding to the mobile terminal identification, and if the first service signing information is checked successfully, signing the service response information based on a second private key corresponding to the mobile terminal identification to obtain second service signing information; encrypting the second service signing information and the service response information based on a first public key corresponding to the mobile terminal identification to obtain second service encryption information; sending the second service encryption information to the mobile terminal;
the mobile terminal decrypts the second service encryption information based on the first public key to obtain service response information and second service signing information; and checking the second service signing information based on the second public key, and if the second service signing information passes the checking, performing service processing based on the service response information.
Further, in this embodiment of the present application, the service platform is further configured to:
and if the service platform detects that the token voucher is expired, the service platform returns the information containing the error codes to the mobile terminal.
Furthermore, in this embodiment of the present application, the mobile terminal and the service platform are further specifically configured to:
the service platform signs the security response information based on a second private key to obtain second security signing information, wherein the security response information comprises a second public key; encrypting the second safety signing information and the safety response information based on a first public key to obtain second safety encryption information; sending the second security encryption information to the mobile terminal;
the mobile terminal decrypts the second security encrypted information based on the first private key to obtain a second public key and second security signing information; and checking the second security signing information based on the second public key, and if the checking is successful, storing the second public key to the first security module.
Further, in this embodiment of the present application, before the step of receiving, by the mobile terminal, the token credential sent by the service platform, the method further includes:
the mobile terminal sends the authentication data encrypted by the white box to a service platform;
the service platform obtains the authentication data after decryption based on the white box; performing authority authentication on the authentication data to obtain a token certificate; and sending the token certificate to the mobile terminal.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the apparatus and each unit described above may refer to the corresponding processes in the foregoing embodiment of the mobile terminal secure communication method, and are not described herein again.
The apparatus provided by the above embodiment may be implemented in a form of a computer program, which can be run on the mobile terminal secure communication device as shown in fig. 3.
An embodiment of the present application further provides a mobile terminal secure communication device, including: the mobile terminal safety communication method comprises a memory, a processor and a network interface which are connected through a system bus, wherein at least one instruction is stored in the memory, and the at least one instruction is loaded and executed by the processor so as to realize all steps or part of steps of the mobile terminal safety communication method.
The network interface is used for performing network communication, such as sending distributed tasks. Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
The Processor may be a CPU, other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete Gate or transistor logic device discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the processor being the control center of the computer device and the various interfaces and lines connecting the various parts of the overall computer device.
The memory may be used to store computer programs and/or modules, and the processor may implement various functions of the computer device by executing or executing the computer programs and/or modules stored in the memory, as well as by invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a video playing function, an image playing function, etc.), and the like; the storage data area may store data (such as video data, image data, etc.) created according to the use of the cellular phone, etc. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
An embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements all or part of the steps of the foregoing secure communication method for a mobile terminal.
The embodiments of the present application may implement all or part of the foregoing processes, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of the foregoing methods. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer memory, Read-Only memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution media, and the like. It should be noted that the computer readable medium may contain other components which may be suitably increased or decreased as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, in accordance with legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunications signals.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, server, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A secure communication method of a mobile terminal is applied to data communication between the mobile terminal and a service platform, the mobile terminal is provided with a first security module, the service platform is provided with a second security module, and the method comprises the following steps:
the mobile terminal receives a token certificate sent by a service platform, and generates a first key pair through a first security module, wherein the first key pair comprises a first private key and a first public key;
after key agreement is carried out between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, wherein the second key pair comprises a second private key and a second public key, and the first public key is stored in the second security module;
after key agreement is carried out between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module;
and the mobile terminal and the service platform perform encryption and decryption processing on the service request information and the service response information through the token certificate, the first key pair and the second key pair.
2. The method of claim 1, wherein after the service platform and the mobile terminal perform key agreement based on the first key pair, the service platform generates a second key pair through a second security module, and the method comprises:
the mobile terminal signs the security request information based on the first private key to obtain first security signing information, wherein the security request information comprises the first public key; performing white-box encryption on the first secure signing information and the secure request information to obtain first secure encrypted information; sending the first security encryption information to the service platform;
the service platform performs white-box decryption on the first security encrypted information to obtain the first public key and the first security signing information; and verifying the first safety signing information based on the first public key, and if the verification is successful, generating a second secret key pair through the second safety module.
3. The method of claim 2, wherein the security request information further includes a mobile terminal identifier, and further comprising, after the step of storing the first public key to the second security module:
and the service platform respectively creates mapping relations between the first public key and the mobile terminal identification and between the second private key and the mobile terminal identification.
4. The method according to claim 3, wherein the encrypting and decrypting the service request information and the service response information by the token certificate, the first key pair and the second key pair between the mobile terminal and the service platform comprises:
the mobile terminal signs the service request information based on the first private key to obtain first service signing information; encrypting the first service signing information and the service request information based on the second public key to obtain first service encryption information; sending the first service encryption information, the token certificate and the mobile terminal identification to a service platform;
the service platform detects whether the token voucher is expired or not, and if not, the service platform decrypts the first service encryption information based on a second private key corresponding to the mobile terminal identification to obtain first service signing information and service request information; checking the first service signing information based on a first public key corresponding to the mobile terminal identification, and if the first service signing information is checked successfully, signing the service response information based on a second private key corresponding to the mobile terminal identification to obtain second service signing information; encrypting the second service signing information and the service response information based on a first public key corresponding to the mobile terminal identification to obtain second service encryption information; sending the second service encryption information to the mobile terminal;
the mobile terminal decrypts the second service encryption information based on the first public key to obtain service response information and second service signing information; and checking the second service signing information based on the second public key, and if the second service signing information passes the checking, performing service processing based on the service response information.
5. The secure communication method for mobile terminal according to claim 4, wherein after the step of detecting whether the token certificate expires by the service platform, the method further comprises:
and if the service platform detects that the token voucher is expired, the service platform returns the information containing the error codes to the mobile terminal.
6. The method as claimed in claim 1, wherein after the key agreement between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key in the first security module, which includes:
the service platform signs the security response information based on a second private key to obtain second security signing information, wherein the security response information comprises a second public key; encrypting the second safety signing information and the safety response information based on a first public key to obtain second safety encryption information; sending the second security encryption information to the mobile terminal;
the mobile terminal decrypts the second security encrypted information based on the first private key to obtain a second public key and second security signing information; and checking the second security signing information based on the second public key, and if the checking is successful, storing the second public key to the first security module.
7. The secure communication method for mobile terminal according to claim 1, wherein before the step of receiving token credential sent by service platform, the method further comprises:
the mobile terminal sends the authentication data encrypted by the white box to a service platform;
the service platform obtains the authentication data after decryption based on the white box; performing authority authentication on the authentication data to obtain a token certificate; and sending the token certificate to the mobile terminal.
8. A secure communication apparatus for a mobile terminal, comprising: the mobile terminal is provided with a first safety module, and the service platform is provided with a second safety module;
the mobile terminal receives a token certificate sent by a service platform, and generates a first key pair through a first security module, wherein the first key pair comprises a first private key and a first public key;
after key agreement is carried out between the service platform and the mobile terminal based on the first key pair, the service platform generates a second key pair through a second security module, wherein the second key pair comprises a second private key and a second public key, and the first public key is stored in the second security module;
after key agreement is carried out between the mobile terminal and the service platform based on the first key pair and the second key pair, the mobile terminal stores the second public key to the first security module;
and the mobile terminal and the service platform perform encryption and decryption processing on the service request information and the service response information through the token certificate, the first key pair and the second key pair.
9. A mobile terminal secure communication device, comprising: a memory and a processor, the memory having stored therein at least one instruction, the at least one instruction being loaded and executed by the processor to implement the secure communication method of the mobile terminal according to any one of claims 1 to 7.
10. A computer-readable storage medium characterized by: the computer storage medium stores a computer program which, when executed by a processor, implements the mobile terminal secure communication method of any one of claims 1 to 7.
CN202111476311.1A 2021-12-06 2021-12-06 Mobile terminal secure communication method, device, equipment and readable storage medium Pending CN113905368A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111476311.1A CN113905368A (en) 2021-12-06 2021-12-06 Mobile terminal secure communication method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111476311.1A CN113905368A (en) 2021-12-06 2021-12-06 Mobile terminal secure communication method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN113905368A true CN113905368A (en) 2022-01-07

Family

ID=79195360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111476311.1A Pending CN113905368A (en) 2021-12-06 2021-12-06 Mobile terminal secure communication method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN113905368A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241688A (en) * 2017-06-14 2017-10-10 北京小米移动软件有限公司 Signature, verification method, device and the storage medium of application installation package
CN107508796A (en) * 2017-07-28 2017-12-22 北京明朝万达科技股份有限公司 A kind of data communications method and device
CN109698834A (en) * 2019-01-11 2019-04-30 深圳市元征科技股份有限公司 A kind of encrypted transmission method and system
EP3525415A1 (en) * 2018-02-09 2019-08-14 Canon Kabushiki Kaisha Information processing system and control method therefor
CN112073421A (en) * 2020-09-14 2020-12-11 深圳市腾讯计算机系统有限公司 Communication processing method, communication processing device, terminal and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107241688A (en) * 2017-06-14 2017-10-10 北京小米移动软件有限公司 Signature, verification method, device and the storage medium of application installation package
CN107508796A (en) * 2017-07-28 2017-12-22 北京明朝万达科技股份有限公司 A kind of data communications method and device
EP3525415A1 (en) * 2018-02-09 2019-08-14 Canon Kabushiki Kaisha Information processing system and control method therefor
CN109698834A (en) * 2019-01-11 2019-04-30 深圳市元征科技股份有限公司 A kind of encrypted transmission method and system
CN112073421A (en) * 2020-09-14 2020-12-11 深圳市腾讯计算机系统有限公司 Communication processing method, communication processing device, terminal and storage medium

Similar Documents

Publication Publication Date Title
CN108965230B (en) Secure communication method, system and terminal equipment
EP3642997B1 (en) Secure communications providing forward secrecy
CN109714167B (en) Identity authentication and key agreement method and equipment suitable for mobile application signature
CN109309565B (en) Security authentication method and device
US11218323B2 (en) Method and system for producing a secure communication channel for terminals
US10708072B2 (en) Mutual authentication of confidential communication
CN110800248B (en) Method for mutual symmetric authentication between a first application and a second application
US8724819B2 (en) Credential provisioning
KR100827650B1 (en) Methods for authenticating potential members invited to join a group
CN109150897B (en) End-to-end communication encryption method and device
CN108199847B (en) Digital security processing method, computer device, and storage medium
CN108809907B (en) Certificate request message sending method, receiving method and device
CN112766962A (en) Method for receiving and sending certificate, transaction system, storage medium and electronic device
CN113497778A (en) Data transmission method and device
CN111131416A (en) Business service providing method and device, storage medium and electronic device
CN109005032B (en) Routing method and device
CN112241527B (en) Secret key generation method and system of terminal equipment of Internet of things and electronic equipment
CN112351037A (en) Information processing method and device for secure communication
CN114143108A (en) Session encryption method, device, equipment and storage medium
CN114338091B (en) Data transmission method, device, electronic equipment and storage medium
CN111654503A (en) Remote control method, device, equipment and storage medium
CN110611679A (en) Data transmission method, device, equipment and system
CN112364335B (en) Identification identity authentication method and device, electronic equipment and storage medium
CN110417722B (en) Business data communication method, communication equipment and storage medium
CN113905368A (en) Mobile terminal secure communication method, device, equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220107

RJ01 Rejection of invention patent application after publication