CN113938279B - Key exchange method, device and system - Google Patents
Key exchange method, device and system Download PDFInfo
- Publication number
- CN113938279B CN113938279B CN202111533951.1A CN202111533951A CN113938279B CN 113938279 B CN113938279 B CN 113938279B CN 202111533951 A CN202111533951 A CN 202111533951A CN 113938279 B CN113938279 B CN 113938279B
- Authority
- CN
- China
- Prior art keywords
- information
- equipment
- server
- target terminal
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012795 verification Methods 0.000 claims abstract description 45
- 230000003068 static effect Effects 0.000 claims description 30
- 230000008569 process Effects 0.000 claims description 25
- 238000007689 inspection Methods 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 9
- 238000012360 testing method Methods 0.000 claims 2
- 238000004422 calculation algorithm Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 238000004364 calculation method Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 6
- 230000000903 blocking effect Effects 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The application provides a method, equipment and a system for exchanging keys, wherein the method comprises the following steps: the terminal device generates a device public key and a device private key through a program running in the internal TEE, collects device information, and signs the device public key and the device information based on the device private key. And the terminal equipment sends registration information comprising the signature result, the equipment public key and the equipment information to a server. And the server determines that the signature result passes the signature verification according to the equipment public key and the equipment information, generates an equipment identifier corresponding to the terminal equipment when the equipment information is determined to be in accordance with the verification condition, and sends the equipment identifier and the public key of the server to the terminal equipment. Through the scheme, the safe public key exchange between the terminal equipment and the server can be realized.
Description
Technical Field
The invention relates to the technical field of Internet of things, in particular to a key exchange method, device and system.
Background
The internet of things (IoT) is an important component of a new generation of information technology and is also an important development stage in the information era. With the continuous development of the internet of things, the safety problem is more and more widely regarded.
When the device side and the server side of the internet of things establish communication connection, bidirectional authentication is required to be carried out so as to ensure the communication safety of the two sides. A common two-way authentication method is authentication using an asymmetric key system, and at this time, two parties need to exchange public keys of each other in advance. However, at present, a lot of existing internet-of-things devices do not burn a unique public and private key pair corresponding to the terminal device on the device when leaving the factory, and when networking with the server is required, a public key of the internet-of-things device is generated and registered with the server. The server needs to check the information uploaded by the terminal device to ensure the security of information transmission between the two parties.
Disclosure of Invention
The embodiment of the invention provides a method, equipment and a system for exchanging a key, which are used for improving the security of the public key exchange process of terminal equipment and a server.
In a first aspect, an embodiment of the present invention provides a key exchange method, which is applied to a target terminal device, and the method includes:
generating a device public key and a device private key by a program running in an internal trusted environment;
acquiring equipment information of the terminal equipment through the program;
signing, by the program, the device public key and the device information based on the device private key;
sending registration information to a server, wherein the registration information comprises a signature result, the equipment public key and the equipment information;
and receiving the equipment identifier fed back by the server and the public key of the server, wherein the equipment identifier is generated when the server determines that the signature result passes the signature verification according to the equipment public key and the equipment information and determines that the equipment information meets the verification condition, and the equipment identifier is used for uniquely identifying the target terminal equipment.
In a second aspect, an embodiment of the present invention provides a key exchange apparatus, which is applied to a target terminal device, and the apparatus includes:
the processing module is used for generating a device public key and a device private key through a program running in an internal trusted environment, acquiring device information of the terminal device through the program, and signing the device public key and the device information through the program based on the device private key;
a sending module, configured to send registration information to a server, where the registration information includes a signature result, the device public key, and the device information;
and the receiving module is used for receiving the equipment identifier fed back by the server and the public key of the server, wherein the equipment identifier is generated when the server determines that the signature result passes the signature verification according to the equipment public key and the equipment information and determines that the equipment information meets the verification condition, and the equipment identifier is used for uniquely identifying the target terminal equipment.
In a third aspect, an embodiment of the present invention provides a terminal device, including: a memory, a processor, a communication interface; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to implement at least the key exchange method of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of a terminal device, causes the processor to implement at least the key exchange method according to the first aspect.
In a fifth aspect, an embodiment of the present invention provides a key exchange method, which is applied to a server, where the method includes:
receiving registration information sent by a terminal device, wherein the registration information comprises a signature result, a device public key and device information, and the signature result is obtained by generating the device public key and the device private key by the terminal device through a program running in an internal trusted environment and collecting the device information and then signing the device public key and the device information according to the device private key;
according to the equipment public key and the equipment information, determining that the signature result passes signature verification, and generating an equipment identifier corresponding to the terminal equipment when the equipment information is determined to meet a verification condition, wherein the equipment identifier is used for uniquely identifying the terminal equipment;
and sending the equipment identification and the public key of the server to the terminal equipment.
In a sixth aspect, an embodiment of the present invention provides a key exchange apparatus, which is applied to a server, and the apparatus includes:
the terminal equipment comprises a receiving module and a processing module, wherein the receiving module is used for receiving registration information sent by the terminal equipment, the registration information comprises a signature result, an equipment public key and equipment information, and the signature result is obtained by generating the equipment public key and the equipment private key by the terminal equipment through a program running in an internal trusted environment, collecting the equipment information and then signing the equipment public key and the equipment information according to the equipment private key;
the authentication module is used for determining that the signature result passes the signature verification according to the equipment public key and the equipment information, and generating an equipment identifier corresponding to the terminal equipment when the equipment information is determined to meet the verification condition, wherein the equipment identifier is used for uniquely identifying the terminal equipment;
and the sending module is used for sending the equipment identifier and the public key of the server to the terminal equipment.
In a seventh aspect, an embodiment of the present invention provides a server, including: a memory, a processor, a communication interface; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to implement at least the key exchange method of the fifth aspect.
In an eighth aspect, an embodiment of the present invention provides a non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of a server, causes the processor to implement at least the key exchange method according to the fifth aspect.
In a ninth aspect, an embodiment of the present invention provides a key exchange system, including: a plurality of terminal devices and a server;
the target terminal device in the plurality of terminal devices is used for generating a device public key and a device private key through a program running in an internal trusted environment, acquiring device information, and signing the device public key and the device information according to the device private key; sending registration information to the server, wherein the registration information comprises a signature result, the equipment public key and the equipment information; receiving the device identification fed back by the server and the public key of the server;
and the server is used for generating an equipment identifier corresponding to the target terminal equipment and sending the equipment identifier and the public key of the server to the target terminal equipment when the signature result passes the signature verification according to the equipment public key and the equipment information is determined to be in accordance with the verification condition, wherein the equipment identifier is used for uniquely identifying the target terminal equipment.
In the embodiment of the present invention, in a situation that a target terminal device needs to exchange respective public keys with a server, a Trusted Execution Environment (TEE for short) is built inside the target terminal device, and a program having functions of key generation, device information acquisition, and signature calculation is encapsulated in the TEE, and the target terminal device can generate a device public key and a device private key through the program in the TEE, acquire device information, and sign the device public key and the acquired device information according to the device private key. Thereafter, the target terminal device may transmit registration information including the signature result, the device public key, and the device information to the server. The server checks the signature result based on the device public key and the device information contained in the registration information, if the signature result is confirmed to pass the signature check, the received device information is further checked, if the device information meets the check condition, a device identification corresponding to the target terminal device is generated, the device identification and the server public key are sent to the target terminal device, and the device identification is used for uniquely identifying the target terminal device.
In the scheme, the TEE is used for ensuring the safe generation and storage of the public and private keys of the equipment end, and equipment information acquisition and private message signature logic are integrated in the TEE, so that the uploading safety of the public key of the equipment is ensured, and the risk that the public key of the equipment is successfully attacked in the uploading process is reduced. In addition, the registration information uploaded by the equipment terminal also comprises the equipment information acquired in the TEE, and the validity of the equipment information is also considered in the process of safety verification of the equipment terminal by the service terminal, so that the accuracy of a detection result can be further improved, and the information interaction safety of the equipment terminal and the service terminal is ensured.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic diagram of a key exchange system according to an embodiment of the present invention;
fig. 2 is an interaction flowchart of a key exchange method according to an embodiment of the present invention;
fig. 3 is an interaction flowchart of a key exchange method according to an embodiment of the present invention;
fig. 4 is a flowchart of a key exchange method according to an embodiment of the present invention;
fig. 5 is a flowchart of a key exchange method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a key exchange device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a terminal device corresponding to the key exchange apparatus provided in the embodiment shown in fig. 6;
fig. 8 is a schematic structural diagram of a key exchange device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a server corresponding to the key exchange device provided in the embodiment shown in fig. 8.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Some embodiments of the invention are described in detail below with reference to the accompanying drawings. The features of the embodiments and examples described below may be combined with each other without conflict between the embodiments. In addition, the sequence of steps in each method embodiment described below is only an example and is not strictly limited.
Fig. 1 is a schematic diagram of a key exchange system according to an embodiment of the present invention, as shown in fig. 1, the system includes a plurality of terminal devices and a server, where the plurality of terminal devices include terminal devices corresponding to the same product produced by the same manufacturer.
The product is, for example, a certain type of air conditioner, and each terminal device corresponding to the product is each actually produced air conditioner corresponding to the product. Therefore, the product can be understood as a product category and a product model.
For convenience of description, it is assumed in the embodiment of the present invention that the plurality of terminal apparatuses correspond to the same product generated by the same manufacturer. In an application scenario of the internet of things, when the terminal devices leave a factory, unique device identifiers are not distributed, and no key pairs (device public keys and device private keys) are burned, so that when the terminal devices need to be networked with a server, the terminal devices need to dynamically generate the corresponding key pairs and safely send the device public keys to the server, so that when the server verifies that the device public keys meet conditions, the server generates the device identifiers for the corresponding terminal devices and feeds back the public keys of the server. Therefore, the terminal device and the server finish the exchange of the public keys of the two parties, and then the mutual authentication can be finished based on the public key of the other party in the subsequent communication connection process.
The following describes, in conjunction with fig. 2, an interaction procedure between the terminal device and the server during the public key exchange phase. In fig. 2, only one terminal device (referred to as a target terminal device) among a plurality of terminal devices will be described as an example.
The target terminal device may be pre-configured with a TEE, and the target terminal device may further include a Rich Execution Environment (REE) in addition to the Execution Environment of the TEE. The TEE has a separate operating system for storing, processing and protecting sensitive data. REE has a strong handling capacity but insufficient safety. The untrusted environment is here the REE.
Fig. 2 is an interaction flowchart of a key exchange method according to an embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
200. the target terminal equipment applies for obtaining the product key and/or the product identification from the server.
This step belongs to the preceding step, and by execution of this step, the target terminal device can acquire the product key and the product identification assigned thereto from the server. Wherein, a plurality of terminal devices belonging to the same product of the same manufacturer have the same product identification and product key. The product identifier is used for identifying the same product generated by the same manufacturer, and the product key can be a product public key in an asymmetric key and is generated by the server.
201. And the target terminal equipment generates an equipment public key and an equipment private key through a program running in the TEE and acquires equipment information.
202. The target terminal device signs the device public key and the device information by using the device private key through a program running in the TEE.
In the embodiment of the invention, in order to ensure the safety of the information generated by the target terminal equipment, the generation process of the equipment public key and the equipment private key, the acquisition process of the equipment information and the digital signature process can be carried out in the TEE. That is, a program (code) for performing key generation, device information acquisition, and digital signature calculation may be previously set in the TEE, and the processing of the above steps may be performed by calling the program.
In this embodiment, the generation algorithm of the device public key and the device private key is not limited, and after the device public key and the device private key are generated, the device private key is always stored in the TEE, so that leakage is avoided.
In this embodiment, optionally, the device information acquired through the program in the TEE includes, for example, a One Time Password (OTP) and a corresponding generation Time thereof, and the like. It should be noted that, when a TEE is constructed, relevant hardware resources used independently are allocated, and therefore, the device information may be considered to refer to attribute information of relevant hardware devices used by the TEE, and may further include state information or variable information dynamically generated in the running process, where the variable information is, for example, the OTP.
The collected device information and the generated device public key are subjected to digital signature calculation, and when the digital signature is carried out, the device public key and the device information are signed by adopting a device private key.
Optionally, the splicing result of the device information and the device public key may be split into multiple segments, each segment calculates a digest (block digest), then, the digest corresponding to each segment is subjected to a calculation process of a digest algorithm again to obtain a final digest (top-level digest), and then, the top-level digest is subjected to a signature process by using the device private key to obtain a signature result.
In this embodiment, the adopted signature algorithm, digest algorithm, and blocking logic are not limited, and it is emphasized that the adopted signature algorithm, digest algorithm, and blocking logic are embedded in the TEE and cannot be obtained by an attack. In addition, it can be understood that the signature algorithm, the digest algorithm and the blocking logic server side are visible, so that the subsequent server can perform signature verification.
As described above, when it is assumed that a plurality of terminal devices are of the same product produced by the same manufacturer, the manufacturer side may negotiate with the server side in advance to use the above algorithm and blocking logic, so that the plurality of terminal devices use the same algorithm and blocking logic.
203. And the target terminal device sends registration information to the server through a program operated in the REE, wherein the registration information comprises a signature result, a device public key and device information.
And after the target terminal equipment completes the generation of the key pair, the acquisition of the equipment information and the calculation of the digital signature in the TEE, skipping to the REE to upload registration information to a server through a program in the REE, wherein the registration information comprises a signature result, an equipment public key and equipment information. That is, the program in the TEE may transmit the signature result, the device public key, and the device information to the program in the REE.
As shown in step 200, in practical applications, after the target terminal device has obtained the product key and the product identifier from the server, the registration information may further include the product identifier, and optionally, the device public key in the registration information may also be encrypted by the product key.
Specifically, the product key and the product identifier may be stored in the TEE or the REE. If the signature result, the device public key and the device information are stored in the REE, after the signature result, the device public key and the device information sent by the program in the TEE are received by the program in the REE, the device public key is encrypted by the product key, and registration information containing the signature result, the encrypted device public key, the device information and the product identification is generated. If the signature is stored in the TEE, the program in the TEE encrypts the device public key by using the product key, and then sends the signature result, the encrypted device public key, the device information and the product identifier to the REE, and the program in the REE constructs registration information containing the signature result, the encrypted device public key, the device information and the product identifier.
It is to be understood that, if the target terminal device obtains only the product identifier assigned by the server without obtaining the product key, the product identifier may be optionally included in the registration information.
204. And the server checks the signature result according to the equipment public key and the equipment information.
205. And when the server determines that the signature result passes the signature verification, the server verifies the equipment information.
206. And when the server determines that the equipment information meets the inspection conditions, generating an equipment identifier corresponding to the target terminal equipment.
After receiving the registration information, the server analyzes the signature result, the equipment public key, the equipment information and the product identification, and then verifies the signature of the signature result based on the equipment public key and the equipment information contained in the signature result.
The following briefly illustrates the process of signing and verifying a signature:
assume that the device public key generated by the target end device is represented as public key K1 and the device private key is represented as private key K2. The public key K1 and the device information may be first subjected to digest calculation processing by a certain digital digest algorithm, assuming that the obtained digest is H1, and then the digest H1 is encrypted by the private key K2 to obtain the signature result C1. The target terminal device transmits registration information including the signature result C1, the public key K1, and the device information to the server. The server performs digest calculation processing on the public key K1 and the device information by using the same digital digest algorithm, assuming that the obtained digest is H2, then, the server decrypts the signature result C1 by using the public key K1 to obtain encrypted H1, compares H1 with H2, if the signature result C1 passes signature verification, that is, the signature verification is successful, and otherwise, the signature verification fails.
If the signature verification fails, it indicates that the registration information uploaded to the server by the target terminal device may be attacked, for example, the public key of the device in the registration information is replaced with the public key of some device of the attacker.
In practical application, the successful signature verification indicates that the registration information uploaded by the target terminal device is not tampered, but the validity of the registration information cannot be completely guaranteed, because some other non-compliance behaviors or attack behaviors may exist. For example, the target terminal device repeatedly registers with the server; for another example, the signature correlation mechanism is obtained by an attacker, and the attacker reports and registers the own device public key and the device information.
Therefore, in the embodiment of the present invention, after the server successfully verifies the signature of the signature result uploaded by the target terminal device, the device information carried in the registration information of the target terminal device is also verified, so as to verify the validity of the device information.
In summary, the server may obtain a registered device information list corresponding to the same product identifier, and compare the device information list with the device information uploaded by the target terminal device to complete the verification of the device information uploaded by the target terminal device.
In practical applications, optionally, in a hypothetical situation that a plurality of terminal devices correspond to the same product of the same manufacturer, the manufacturer may upload in advance device information corresponding to each of the plurality of terminal devices that the manufacturer produces to the server for storage, where the registered device information list in the server is formed by device information corresponding to each of the plurality of terminal devices that the manufacturer has registered in the server in advance. Or, optionally, in response to registration information triggered to the server by the plurality of terminal devices at different times, when the server verifies a signature result corresponding to the signature success based on the process, the server may store the device information included in the corresponding registration information in the device information list in correspondence with the product identifier, that is, the server dynamically collects device information sent by each terminal device corresponding to the same product identifier, so as to check device information uploaded by subsequent terminal devices corresponding to the same product identifier.
In fact, there are some common characteristics in the device information of each terminal device corresponding to the same product identifier, for example, each terminal device uses the same type of network card and the same type of memory card produced by the same manufacturer. However, there may be differences between the terminal devices, for example, the device serial number of the network card used by each terminal device is different, and the serial number identifier of the memory card used by each terminal device is different.
Based on this, optionally, if the device information uploaded by the current target terminal device does not match the device information included in the device information list corresponding to the same product identifier, it is determined that the device information uploaded by the target terminal device does not pass the inspection. For example, the collected device information indicates that the memory card produced by the manufacturer a is used, but the device information uploaded by the target terminal device indicates that the memory card produced by the manufacturer B is used.
And when the server determines that the signature result of the target terminal equipment passes the signature verification and determines that the uploaded equipment information passes the verification, the target terminal equipment is considered to be legal, and equipment identification is allocated to the target terminal equipment. The corresponding device identifications of different terminal devices in the server are different.
207. And the server sends the device identification corresponding to the target terminal device and the public key of the server to the target terminal device.
In practical application, the server may encrypt the device identifier sent to the target terminal device and the public key of the server by using the product key, and send the encrypted result to the target terminal device. The target terminal device stores the device identification and the public key of the server.
In the solution provided by the above embodiment, the generation of the key pair, the collection of the device information, and the processing of the digital signature are completed in the TEE in the target terminal device, so that the risk of leakage of these sensitive information can be reduced. In addition, the server stores the device public key of the terminal device locally, allocates a device identifier for the device public key and issues the public key of the device public key when the device information of the terminal device is carried in the registration information and the server can successfully verify the signature result and confirm that the device information passes the verification, so that the security of the exchange process of the terminal device and the server public key is ensured.
Fig. 3 is an interaction flowchart of a key exchange method according to an embodiment of the present invention, as shown in fig. 3, the method includes the following steps:
300. and the target terminal equipment applies for obtaining the product key and the product identification from the server.
301. The target terminal device generates a device public key and a device private key through a program running in the TEE, and collects first device information.
As described above, the program in the TEE only collects attribute information of the relevant device that is visible to the TEE and dynamic information generated during use of the device, such as OTP and time of generation thereof, etc.
302. And the target terminal equipment acquires second equipment information through a program running in the REE and transmits the second equipment information to the TEE.
Since the device information that can be collected in the TEE is relatively limited, in order to measure the device information more accurately and comprehensively, the device information can be collected in the REE, and the device information that can be collected in the REE includes, for example, attribute information of a network card, attribute information of a memory card, attribute information of a control chip, and the like. Since the security of the REE is poor, in order to avoid the acquisition logic of the device information in the REE from being attacked, code obfuscation processing may be performed on the program running in the REE, so as to protect the acquisition logic of the second device information. In short, the code obfuscation process may include encrypting key codes and parameters therein, inserting some pseudo codes, and so on.
In practical applications, a program in the TEE may trigger a request to the REE to request the program in the REE to acquire the second device information, and the program in the REE transmits the second device information to the program in the TEE after acquiring the second device information.
303. And the target terminal equipment signs the equipment public key and the equipment information by utilizing the equipment private key through a program running in the TEE.
The device information in step 303 includes first device information and second device information.
304. And the target terminal device sends registration information to the server through a program operated in the REE, wherein the registration information comprises a signature result, a device public key, device information and a product identifier.
305. And the server checks the signature result according to the equipment public key and the equipment information.
306. And when the server determines that the signature result passes the signature verification, acquiring a registered equipment information list corresponding to the product identification, and verifying the equipment information according to the equipment information list.
307. And when the server determines that the equipment information meets the inspection conditions, generating an equipment identifier corresponding to the target terminal equipment.
308. And the server sends the device identification corresponding to the target terminal device and the public key of the server to the target terminal device.
The target terminal device then stores the received device identification and the public key of the server.
In this embodiment, the process of digital signature and signature verification is not described in detail.
An optional device information verification process is described in this embodiment.
As can be seen from the foregoing examples, the actually acquired device information may include two types of device information, namely static information and dynamic information, where the static information refers to device information that does not change during the use of the terminal device, such as attribute information (such as manufacturer, model, serial number) of the network card, the memory card, and the control chip in the foregoing examples; the dynamic information refers to device information that dynamically changes during the use of the terminal device, such as the OTP and its generation time, the read-write times of the memory card, and so on.
In view of this, the device information list described above has two cases:
first, when a device manufacturer registers device information corresponding to each of a plurality of terminal devices that it produces in a server in advance, the registered device information corresponds to the above static information, and for example, a device information list includes the following two pieces of device information: the network card produced by the manufacturer X has a serial number of 123456; the network card manufactured by manufacturer X has a serial number of 235678. It can be understood that, at this time, the terminal device has not yet acquired the unique device identifier assigned by the server, and therefore, the device information list does not include the device identifier. In addition, when the server stores the device information list, the server stores the corresponding relation between the device information list and the product identification, so that the device information list needing to be used is determined based on the product identification.
Secondly, when the server is an equipment information list obtained by statistics after the registration information is uploaded by the terminal equipment, the equipment information stored in the equipment information list includes both static information and dynamic information. Specifically, when the server receives registration information carrying a certain product identifier for the first time, after the signature verification of the signature result included in the registration information is completed, the device information carried in the registration information may be stored in a list, and the list is associated with the product identifier. By analogy, assume that some device information has been collected and all of the device information contains matching static information. The matching is, as described above, that the common part of the static information is consistent.
For the registration information sent by the current target terminal equipment, after determining that the signature result passes the signature verification, the server checks the carried equipment information, and the specific checking process is as follows:
if the item matched with the static information in the equipment information list is not inquired, determining that the target terminal equipment does not accord with the inspection condition;
if the item matched with the static information and the dynamic information in the equipment information list is inquired, determining that the target terminal equipment does not accord with the inspection condition;
and if the item matched with the static information is inquired in the equipment information list, the dynamic information is not matched with the inquired item, and the distributed equipment identifier corresponding to the equipment public key does not exist in the server, determining that the target terminal equipment meets the inspection condition.
The precondition for executing the above-mentioned checking process is that the server can dynamically collect the device information uploaded by each terminal device, i.e. can collect the device information including static information and dynamic information.
For the current target terminal device, whether a record (namely an entry) matched with the static information in the uploaded device information exists in the collected device information list corresponding to the same product identifier is inquired, if the record (namely the entry) is not inquired, the target terminal device can be directly determined to be an illegal device which cannot pass the check, and comparison of the dynamic information is not needed at the moment. As described above, the matching of the static information refers to common device information of other terminal devices corresponding to the same product identifier, for example, the manufacturers of the memory cards are the same manufacturer, and the network cards are the same model.
When the list item matched with the static information uploaded by the target terminal equipment is inquired in the equipment information list, continuously comparing whether the dynamic information stored in the list item is matched with the dynamic information uploaded by the target terminal equipment, and if so, determining that the target terminal equipment does not accord with the inspection condition. Wherein, the matching of the dynamic information may refer to the agreement. In the actual use process of different terminal devices, the respective generated dynamic device information is not completely consistent, especially in the case of collecting various dynamic information. Therefore, if it is found that there is an entry matching both the static information and the dynamic information of the target terminal device in the collected device information list, it is determined that the target terminal device cannot pass the check.
However, if the device information list is searched for an entry matching the static information of the target terminal device and the dynamic information of the target terminal device does not match the searched entry, it may be preliminarily determined that the target terminal device passes the inspection, but only if the definition needs to perform the device identifier assignment operation after passing the inspection, it still cannot finally be determined that the target terminal device passes the inspection. Because in practical application, the terminal equipment can be repeatedly registered.
The repeated registration means that the target terminal device transmits registration information to the server at time T1 and receives the device identifier assigned thereto by the server, but the device identifier may be lost if the device identifier is not already recorded due to a user error operation or the like, and at this time, the target terminal device repeatedly transmits registration information to the server at subsequent time T2. At time T2, the dynamic information of the target terminal device changes from the dynamic information of the target terminal device at time T1, for example, the number of times of reading and writing of the memory card increases, for example, the OTP parameter used in the digital signature process changes, therefore, after the server receives the registration information sent for the second time and completes the signature verification of the signature result, the server finds, through comparison of the device information list, that an entry matching the static information of the target terminal device is found in the device information list, and the dynamic information of the target terminal device does not match the found entry, at this time, the server determines that the registration is repeated. And the server inquires an equipment identifier distribution result, wherein the distribution result stores the corresponding relation between the equipment public key and the equipment identifier. And if the device identifier corresponding to the device public key uploaded by the target terminal device does not exist, determining that the target terminal device meets the inspection condition, generating the device identifier for the target terminal device, and sending the device identifier to the target terminal device. Otherwise, if the device identifier corresponding to the device public key uploaded by the target terminal device is found, the current registration behavior of the target terminal device is determined to be repeated registration, the device identifier already allocated to the target terminal device is retrieved, and the device identifier is sent to the target terminal device.
In summary, based on the scheme provided by the embodiment of the present invention, the following advantages can be obtained:
1. and a public and private key pair of the equipment is generated in the TEE, and the private key of the equipment does not go out of the TEE, so that the safety of the equipment is ensured.
2. The process of uploading the device public key by the terminal device is also secure. On one hand, the method is embodied as follows: the signature mechanism is protected in the TEE, and an attacker is difficult to replace the device public key in the registration information with the public key of an illegal device. On the other hand, the method is characterized in that: the server can identify the repeated registration information uploaded by the same terminal equipment so as to avoid repeated generation of equipment identification. Since a manufacturer generally applies for a set number of device identifier shares (the number matches the number of terminal devices of the same product produced by the manufacturer) in advance in the server, the server only generates a corresponding number of device identifiers for the manufacturer, and repeated generation causes a waste of quota.
3. The reported virtual information can be identified by the server. Firstly, the server needs to check the signature result uploaded by the terminal device, so that an attacker can be prevented from only modifying the public key field of the device or uploading other independent data. Secondly, even if the signature mechanism is obtained by an attacker who reports the illegal public key and the device information, the server can also find the attack behavior by comparing the reported device information with the device information of the real terminal device (legal device).
Fig. 4 is a flowchart of a key exchange method according to an embodiment of the present invention, where the method may be executed by any terminal device in the multiple terminal devices, and as shown in fig. 4, the method includes:
401. the device public key and the device private key are generated by a program running in the internal trusted environment.
402. And acquiring the equipment information of the terminal equipment through the program.
403. Through the program, the device public key and the device information are signed based on the device private key.
404. And sending registration information to the server, wherein the registration information comprises a signature result, a device public key and device information.
405. And receiving the equipment identifier fed back by the server and the public key of the server, wherein the equipment identifier is generated when the server determines that the signature result passes the signature verification according to the equipment public key and the equipment information and determines that the equipment information meets the verification condition.
Fig. 5 is a flowchart of a key exchange method according to an embodiment of the present invention, where the method may be executed by the server, as shown in fig. 5, where the method includes:
501. and receiving registration information sent by the terminal equipment, wherein the registration information comprises a signature result, an equipment public key and equipment information, and the signature result is obtained by signing the equipment public key and the equipment private key and acquiring the equipment information according to the equipment private key after the terminal equipment generates the equipment public key and the equipment private key through a program running in an internal trusted environment.
502. And determining that the signature result passes the signature verification according to the equipment public key and the equipment information, and generating an equipment identifier corresponding to the terminal equipment when the equipment information is determined to accord with the verification condition.
503. And sending the device identification and the public key of the server to the terminal device.
The key exchange device of one or more embodiments of the present invention will be described in detail below. Those skilled in the art will appreciate that these means can each be constructed using commercially available hardware components and by performing the steps taught in this disclosure.
Fig. 6 is a schematic structural diagram of a key exchange apparatus according to an embodiment of the present invention, where the apparatus is located in a terminal device, and as shown in fig. 6, the apparatus includes: a processing module 11, a sending module 12 and a receiving module 13.
The processing module 11 is configured to generate an apparatus public key and an apparatus private key through a program running in an internal trusted environment, acquire apparatus information of the terminal apparatus through the program, and sign the apparatus public key and the apparatus information based on the apparatus private key through the program.
A sending module 12, configured to send registration information to a server, where the registration information includes a signature result, the device public key, and the device information.
A receiving module 13, configured to receive an apparatus identifier fed back by the server and a public key of the server, where the apparatus identifier is generated when the server determines that the signature result passes the signature verification according to the apparatus public key and the apparatus information, and determines that the apparatus information meets the verification condition, and the apparatus identifier is used to uniquely identify the target terminal apparatus.
The apparatus shown in fig. 6 may perform the steps performed by the target terminal device in the foregoing embodiment, and the detailed performing process and technical effect refer to the description in the foregoing embodiment, which are not described herein again.
In one possible design, the structure of the key exchange apparatus shown in fig. 6 may be implemented as a terminal device. As shown in fig. 7, the electronic device may include: a processor 21, a memory 22, and a communication interface 23. Wherein the memory 22 has stored thereon executable code which, when executed by the processor 21, makes the processor 21 at least to implement the steps performed by the target terminal device as in the previous embodiments.
In addition, an embodiment of the present invention provides a non-transitory machine-readable storage medium, which stores executable code thereon, and when the executable code is executed by a processor of a terminal device, the processor is enabled to implement at least the steps performed by the target terminal device as in the foregoing embodiments.
Fig. 8 is a schematic structural diagram of a key exchange device according to an embodiment of the present invention, where the key exchange device is located at a server, and as shown in fig. 8, the key exchange device includes: a receiving module 31, an authentication module 32, and a transmitting module 33.
The receiving module 31 is configured to receive registration information sent by a terminal device, where the registration information includes a signature result, a device public key, and device information, and the signature result is obtained by generating the device public key and the device private key by the terminal device through a program running in an internal trusted environment, collecting the device information, and then signing the device public key and the device information according to the device private key.
And the authentication module 32 is configured to determine that the signature result passes the signature verification according to the device public key and the device information, and generate a device identifier corresponding to the terminal device when it is determined that the device information meets the verification condition, where the device identifier is used to uniquely identify the terminal device.
A sending module 33, configured to send the device identifier and the public key of the server to the terminal device.
The apparatus shown in fig. 8 may perform the steps performed by the server in the foregoing embodiment, and for details of the performing process and the technical effect, reference is made to the description in the foregoing embodiment, which is not described herein again.
In one possible design, the structure of the key exchange device shown in fig. 8 may be implemented as a server. As shown in fig. 9, the electronic device may include: processor 41, memory 42, communication interface 43. Wherein the memory 42 has stored thereon executable code which, when executed by the processor 41, causes the processor 41 to at least carry out the steps performed by the server as in the previous embodiments.
Additionally, an embodiment of the present invention provides a non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of a server, causes the processor to implement at least the steps performed by the server as in the previous embodiments.
The above described embodiments of the apparatus are merely illustrative, wherein the network elements illustrated as separate components may or may not be physically separate. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by adding a necessary general hardware platform, and of course, can also be implemented by a combination of hardware and software. With this understanding in mind, the above-described aspects and portions of the present technology which contribute substantially or in part to the prior art may be embodied in the form of a computer program product, which may be embodied on one or more computer-usable storage media having computer-usable program code embodied therein, including without limitation disk storage, CD-ROM, optical storage, and the like.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (13)
1. A key exchange system, comprising: a plurality of terminal devices and a server;
the target terminal device in the plurality of terminal devices is used for acquiring a product identifier from the server, generating a device public key and a device private key through a program running in an internal trusted environment, collecting device information, and signing the device public key and the device information according to the device private key; sending registration information to the server, wherein the registration information comprises a signature result, the equipment public key, the product identifier and the equipment information; receiving the device identification fed back by the server and the public key of the server; the plurality of terminal devices share the product identification; the device information comprises static information and dynamic information;
the server is used for determining that the signature result passes the signature verification according to the equipment public key and the equipment information, and acquiring a dynamically generated device information list corresponding to the product identifier, if a table entry matched with the static information of the target terminal device is inquired in the device information list, and the dynamic information of the target terminal device does not match the entry, and the server does not have the allocated device identifier corresponding to the device public key, determining that the target terminal device meets the inspection condition, generating a device identifier corresponding to the target terminal device, and sending the device identifier and the public key of the server to the target terminal device, adding the device information of the target terminal device into the device information list, wherein the device identifier is used for uniquely identifying the target terminal device;
in the process of dynamically generating the device information list, the server is specifically configured to generate an initial device information list in the following manner: receiving at least two pieces of registration information sent by at least two pieces of terminal equipment corresponding to the product identifiers, if it is determined that signature results in the at least two pieces of registration information pass signature verification respectively and the pieces of equipment information contained in the at least two pieces of registration information respectively have matched static information, generating an initial equipment information list according to the pieces of equipment information contained in the at least two pieces of registration information respectively, wherein the at least two pieces of registration information are received before the registration information of the target terminal equipment.
2. The system according to claim 1, wherein in the process of collecting the device information, the target terminal device is configured to: the method includes collecting first device information by a program running in an internal trusted environment and second device information collected by a program running in an internal untrusted environment, and transferring the second device information to the program running in the internal trusted environment.
3. The system according to claim 2, wherein the target terminal device is further configured to perform code obfuscation processing on the program running in the internal untrusted environment, so as to protect the acquisition logic of the second device information.
4. The system according to claim 1 or 2, wherein the target terminal device is further configured to obtain a product key from the server, and sign the encrypted device public key and the device information according to the device private key; the encrypted device public key is obtained by encrypting the device public key by using the product key; the plurality of terminal devices share the product key.
5. The system of claim 1, wherein the server is configured to:
if the item matched with the static information of the target terminal equipment is not inquired in the equipment information list, determining that the target terminal equipment does not accord with the inspection condition;
and if the item matched with the static information of the target terminal equipment and the dynamic information of the target terminal equipment is inquired in the equipment information list, determining that the target terminal equipment does not meet the inspection condition.
6. The system of claim 5, wherein the server is further configured to: and if the list item matched with the static information is inquired in the equipment information list, the dynamic information is not matched with the list item, and the distributed equipment identifier corresponding to the equipment public key exists in the server, feeding back the distributed equipment identifier to the target terminal equipment.
7. A key exchange method is applied to a target terminal device, wherein the target terminal device is one of a plurality of terminal devices sharing a product identifier; the method comprises the following steps:
generating a device public key and a device private key by a program running in an internal trusted environment;
acquiring equipment information of the terminal equipment through the program, wherein the equipment information comprises static information and dynamic information;
signing, by the program, the device public key and the device information based on the device private key;
sending registration information to a server, wherein the registration information comprises a signature result, the equipment public key, the product identifier and the equipment information;
receiving an equipment identifier fed back by the server and a public key of the server, wherein the equipment identifier is generated when the server determines that the signature result passes signature verification according to the equipment public key and the equipment information and determines that the equipment information meets a verification condition, and the equipment identifier is used for uniquely identifying the target terminal equipment; the server acquires a dynamically generated device information list corresponding to the product identifier, and if a table entry matched with the static information of the target terminal device is inquired in the device information list, the dynamic information of the target terminal device is not matched with the table entry, and the server does not have an allocated device identifier corresponding to the device public key, the target terminal device is determined to be in accordance with a test condition; the server is specifically configured to generate the initial device information list in the following manner: receiving at least two pieces of registration information sent by at least two pieces of terminal equipment corresponding to the product identifiers, if it is determined that signature results in the at least two pieces of registration information pass signature verification respectively and the pieces of equipment information contained in the at least two pieces of registration information respectively have matched static information, generating an initial equipment information list according to the pieces of equipment information contained in the at least two pieces of registration information respectively, wherein the at least two pieces of registration information are received before the registration information of the target terminal equipment.
8. The method according to claim 7, wherein the collecting device information of the terminal device by the program comprises:
acquiring first device information of the terminal device through the program running in the internal trusted environment;
sending an information acquisition request to a program running in an internal non-trusted environment through the program running in the internal trusted environment so as to acquire second device information acquired by the program running in the internal non-trusted environment.
9. The method of claim 8, wherein sending registration information to a server comprises:
sending, by the program running in the internal trusted environment, the registration information to the program running in the internal untrusted environment to send, by the program running in the internal untrusted environment, the registration information to the server.
10. A key exchange method applied to a server comprises the following steps:
receiving registration information sent by target terminal equipment, wherein the registration information comprises a signature result, an equipment public key, a product identifier and equipment information, the signature result is obtained by generating the equipment public key and an equipment private key by the target terminal equipment through a program running in an internal trusted environment and collecting the equipment information and then signing the equipment public key and the equipment information according to the equipment private key, and the equipment information comprises static information and dynamic information; the target terminal device is one of a plurality of terminal devices sharing the product identifier;
according to the equipment public key and the equipment information, determining that the signature result passes signature verification, and acquiring a dynamically generated equipment information list corresponding to the product identifier;
if an item matched with the static information of the target terminal device is inquired in the device information list, the dynamic information of the target terminal device is not matched with the item, and the server does not have an allocated device identifier corresponding to the device public key, determining that the target terminal device meets a test condition, and generating a device identifier corresponding to the terminal device, wherein the device identifier is used for uniquely identifying the terminal device;
sending the equipment identifier and the public key of the server to the terminal equipment;
wherein the initial device information list is generated by: receiving at least two pieces of registration information sent by at least two pieces of terminal equipment corresponding to the product identifiers, if the signature results in the at least two pieces of registration information are respectively determined to pass signature verification and the equipment information contained in the at least two pieces of registration information respectively has matched static information, generating an initial equipment information list according to the equipment information contained in the at least two pieces of registration information respectively, wherein the at least two pieces of registration information are received before the registration information of the target terminal equipment.
11. The method of claim 10, further comprising:
if the item matched with the static information of the target terminal equipment is not inquired in the equipment information list, determining that the target terminal equipment does not accord with the inspection condition;
and if the item matched with the static information of the target terminal equipment and the dynamic information of the target terminal equipment is inquired in the equipment information list, determining that the target terminal equipment does not meet the inspection condition.
12. A terminal device, comprising: a memory, a processor, a communication interface; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the key exchange method of any one of claims 7 to 9.
13. A server, comprising: a memory, a processor, a communication interface; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the key exchange method of any one of claims 10 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111533951.1A CN113938279B (en) | 2021-12-15 | 2021-12-15 | Key exchange method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111533951.1A CN113938279B (en) | 2021-12-15 | 2021-12-15 | Key exchange method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113938279A CN113938279A (en) | 2022-01-14 |
| CN113938279B true CN113938279B (en) | 2022-06-14 |
Family
ID=79289085
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111533951.1A Active CN113938279B (en) | 2021-12-15 | 2021-12-15 | Key exchange method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113938279B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111464486A (en) * | 2019-01-22 | 2020-07-28 | 阿里巴巴集团控股有限公司 | Information interaction method and device and computing equipment |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102014002207A1 (en) * | 2014-02-20 | 2015-08-20 | Friedrich Kisters | Method and device for identifying or authenticating a person and / or an object by dynamic acoustic security information |
| CN105704123B (en) * | 2016-01-08 | 2017-09-15 | 腾讯科技(深圳)有限公司 | A kind of methods, devices and systems for carrying out business processing |
| EP3244360A1 (en) * | 2016-05-12 | 2017-11-15 | Skidata Ag | Method for registration of equipment, in particular for access control devices or payment or vending machines in a server of a system comprising several such devices |
| CN109600392A (en) * | 2019-01-15 | 2019-04-09 | 四川虹微技术有限公司 | A kind of method and device for preventing information from distorting |
| CN110460609B (en) * | 2019-08-16 | 2021-12-14 | 江苏恒宝智能系统技术有限公司 | Bidirectional authentication method and system for terminal application and security authentication platform |
| CN110635916B (en) * | 2019-09-30 | 2022-07-12 | 四川虹微技术有限公司 | TEE-based security application authentication method |
| DE102020205993B3 (en) * | 2020-05-13 | 2021-09-16 | Volkswagen Aktiengesellschaft | Concept for the exchange of cryptographic key information |
| US11171964B1 (en) * | 2020-12-23 | 2021-11-09 | Citrix Systems, Inc. | Authentication using device and user identity |
| CN113411190B (en) * | 2021-08-20 | 2021-11-09 | 北京数业专攻科技有限公司 | Key deployment, data communication, key exchange and security reinforcement method and system |
-
2021
- 2021-12-15 CN CN202111533951.1A patent/CN113938279B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111464486A (en) * | 2019-01-22 | 2020-07-28 | 阿里巴巴集团控股有限公司 | Information interaction method and device and computing equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113938279A (en) | 2022-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| US11258792B2 (en) | Method, device, system for authenticating an accessing terminal by server, server and computer readable storage medium | |
| CN102271042B (en) | Certificate authorization method, system, universal serial bus (USB) Key equipment and server | |
| JP4113274B2 (en) | Authentication apparatus and method | |
| CN106534160A (en) | Identity authentication method and system based on block chain | |
| JP2018501567A (en) | Device verification method and equipment | |
| CN103685138A (en) | Method and system for authenticating application software of Android platform on mobile internet | |
| CN101036340A (en) | Two-way error correction for physical tokens | |
| CN112311735A (en) | Credible authentication method, network equipment, system and storage medium | |
| US9940446B2 (en) | Anti-piracy protection for software | |
| CN110995446B (en) | Evidence verification method, device, server and storage medium | |
| KR102137122B1 (en) | Security check method, device, terminal and server | |
| CN110381075B (en) | Block chain-based equipment identity authentication method and device | |
| CN101241528A (en) | Terminal access trusted PDA method and access system | |
| CN113055176B (en) | Terminal authentication method and system, terminal device, P2P verification platform and medium | |
| CN110096894B (en) | Data anonymous sharing system and method based on block chain | |
| CN106789024A (en) | A kind of remote de-locking method, device and system | |
| CN111327561B (en) | Authentication method, system, authentication server, and computer-readable storage medium | |
| CN107026729B (en) | Method and device for transmitting software | |
| CN109981650B (en) | Transfer method and system for general certificates in block chain | |
| Ma et al. | Finding flaws from password authentication code in android apps | |
| CN112583594A (en) | Data processing method, acquisition device, gateway, trusted platform and storage medium | |
| CN113938279B (en) | Key exchange method, device and system | |
| CN116707983A (en) | Authorization authentication method and device, access authentication method and device, equipment and medium | |
| CN114584313B (en) | Equipment physical identity authentication method, system, device and first platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40065678 Country of ref document: HK |