CN114124366A - Key generation method of trusted chip and related equipment - Google Patents
Key generation method of trusted chip and related equipment Download PDFInfo
- Publication number
- CN114124366A CN114124366A CN202010899478.8A CN202010899478A CN114124366A CN 114124366 A CN114124366 A CN 114124366A CN 202010899478 A CN202010899478 A CN 202010899478A CN 114124366 A CN114124366 A CN 114124366A
- Authority
- CN
- China
- Prior art keywords
- key
- random number
- seed
- trusted chip
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000004422 calculation algorithm Methods 0.000 claims description 28
- 238000012545 processing Methods 0.000 claims description 22
- 238000004891 communication Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 5
- 230000001419 dependent effect Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000000306 component Substances 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0863—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The embodiment of the application discloses a secret key generation method of a trusted chip and related equipment, which can be applied to the technical field of trusted chips, and the method comprises the following steps: the trusted chip receives a first random number input by a platform, determines a first key seed according to the first random number, and generates a root key according to the first key seed and a key seed preset in the trusted chip; therefore, the key generated by the trusted chip does not depend on a chip manufacturer any more, so that the key of the trusted chip is not easy to know, and the credibility and the data security of the trusted chip are improved.
Description
Technical Field
The embodiment of the application relates to the technical field of trusted chips, in particular to a key generation method of a trusted chip and related equipment.
Background
A Trusted Platform Module (TPM) is a trusted chip that is planted inside a computer and provides a trusted root for the computer, and is an independent device that can generate a key and encrypt and decrypt data, and has an independent processor and a storage unit inside, and the TPM can store various keys and feature data and provide encryption and security authentication services for the computer. Specifically, data to be encrypted can be input into the trusted platform module, then the trusted platform module encrypts the data in the chip, and finally encrypted data is output.
The trusted chip works without leaving a series of keys under its control, which may include, for example, a storage key and an endorsement key; various data are encrypted by each level of secret keys of the storage keys, including an encrypted memory, encrypted hard disk data and the like; the endorsement key is used for certifying the identity of the trusted chip and is usually used for a remote certification process; specifically, a chip manufacturer presets a key seed in advance in the manufacturing process of the trusted chip, a random number generator in the trusted chip is used for generating a random number, and then the trusted chip can generate a corresponding key according to the random number and the key seed.
Since the key seed is provided by the chip manufacturer, and at the same time, although the random number generator is based on hardware, the hardware device is also completely provided by the device manufacturer, and the hardware device can limit the randomness of the random number, so that the key generated by the chip itself is excessively trusting and dependent on the chip manufacturer; how to reduce the dependence on chip manufacturers and obtain the internal key of the trusted chip which is difficult to obtain becomes a problem that needs to be solved urgently in the technology of the trusted chip.
Disclosure of Invention
The embodiment of the application provides a secret key generation method of a trusted chip and related equipment thereof, which are used for reducing the dependence of the generation of the secret key in the trusted chip on a chip manufacturer, so that the trusted chip generates the secret key which is less easy to know, and the security performance of the trusted chip is improved.
A first aspect of an embodiment of the present application provides a method for generating a secret key of a trusted chip, including:
in the manufacturing process of the trusted chip, a chip manufacturer can preset a second key seed in the trusted chip, and as the trusted chip can not work with a series of keys controlled by the trusted chip, in order to ensure the privacy of the keys, the trusted chip can also receive a first random number input by a platform, determine a first key seed by the input first random number, and generate a root key according to the combined action of the first key seed and the second key seed.
The trusted chip determines a first key seed according to a first random number input by the platform, and generates a root key together according to the first key seed and a second key seed preset by a chip manufacturer, so that the generation of the trusted chip key does not depend on the key seed preset by the chip manufacturer any more, a user also participates in the generation of the key through the random number input by the platform, the unpredictability of the key is enhanced, and the data security of the trusted chip is improved.
Based on the first aspect, an embodiment of the present application further provides a first implementation manner of the first aspect:
the trusted chip also comprises a random number generator which is used for generating random numbers, and the random numbers are used for each link of key generation, and the random numbers generated by the random number generator are dependent on hardware equipment, so the random numbers generated by the random number generator are easy to be known by chip manufacturers; therefore, a new second random number can be determined according to the first random number input by the platform and the random number generated by the random number generator, and then the second random number is used for realizing the generation of the key.
The new random number is obtained according to the first random number input by the user through the platform and the random number generated by the random number generator, so that the randomness of the random number can be improved, and a secret key generated according to the random number is more unpredictable.
Based on the first aspect to the first implementation manner of the first aspect, an embodiment of the present application further provides a second implementation manner of the first aspect:
the trusted chip can also generate an input parameter of a password generation algorithm according to the input first random number to change the password generation algorithm, and then the trusted chip inputs the root key into a new password generation algorithm to obtain a plurality of target keys.
The trusted chip changes the password generation algorithm by utilizing the input first random number, so that the password generation algorithm is unpredictable, the generated target key has higher confidentiality, and the key reliability of the trusted chip is improved.
Based on the second implementation manner of the first aspect, the present application provides a third implementation manner of the first aspect:
when the trusted chip obtains the target key according to the new key generation algorithm, a new random number can be used in the calculation process, so that the generated target key is more confidential, and the reliability of the key is improved.
Based on the first aspect to the third implementation manner of the first aspect, the present application provides an example of the fourth implementation manner of the first aspect:
the key in the trusted chip can be divided into two key hierarchies, so that the first key seed can be a first storage root key seed, the second key seed is also a preset second storage root key seed, then the trusted chip generates a storage root key according to the first storage root key seed and the second storage root key seed, the storage root key is used for generating a storage key, and the purpose of the storage key is to encrypt various data input into the trusted chip.
Based on the first aspect to the third implementation manner of the first aspect, the present application provides an example of the fifth implementation manner of the first aspect:
the key in the trusted chip can also be an endorsement key level, so that the first key seed can be a first endorsement key seed, the second seed key is a preset second endorsement key seed, the trusted chip generates an endorsement key according to the first endorsement key seed and the second endorsement key seed, and the endorsement key is used for identity verification of the trusted chip.
Based on the fifth implementation manner of the first aspect, the present application provides a sixth implementation manner of the first aspect:
the trusted chip can generate a public and private key pair according to the endorsement key; the public and private key pair comprises a public key and a private key, and a public key certificate corresponding to the public key comprises the private key signature.
A second aspect of an embodiment of the present application provides a trusted chip, including:
the receiving module is used for receiving a first random number input by the platform;
a determining module, configured to determine a first key seed according to the first random number;
the processing module is used for generating a root key according to the first key seed and the second key seed; and the second key seed is a key seed preset in the credible chip.
Based on the second aspect, the embodiments of the present application further provide a first implementation manner of the second aspect:
the trusted chip comprises a random number generator, and the determining module is further configured to determine a second random number according to the first random number input by the platform and the random number generated by the random number generator, where the second random number is used to update the second key seed.
Based on the second aspect to the first implementation manner of the second aspect, the present application also provides a second implementation manner of the second aspect:
the determining module is further configured to generate an input parameter according to the first random number, where the input parameter is used to determine a password generation algorithm;
and the processing module is also used for generating a target key according to the password generation algorithm and the root key.
Based on the second implementation manner of the second aspect, the present application provides a third implementation manner of the second aspect:
the processing module is specifically configured to perform an operation on the root key and the second random number according to the password generation algorithm to generate the destination key.
Based on the second aspect and the third implementation manner of the second aspect, the present application provides a fourth implementation manner of the second aspect:
the first key seed is a first storage root key seed, and the second key seed is a second storage root key seed;
the processing module is specifically configured to generate a storage root key according to the first storage root key seed and the second storage root key seed, where the storage root key is used to generate a storage key, and the storage key is used to encrypt data.
Based on the second aspect to the third implementation manner of the second aspect, the present application also provides a fifth implementation manner of the second aspect:
the first key seed is a first endorsement key seed, and the second key seed is a second endorsement key seed;
the processing module is specifically configured to generate an endorsement key according to the first endorsement key seed and the second endorsement key seed, where the endorsement key is used for authentication of the trusted chip.
Based on the fifth implementation manner of the second aspect, the present application provides a sixth implementation manner of the second aspect:
the processing module is also used for generating a public and private key pair according to the endorsement key; the public and private key pair comprises a public key and a private key, and a public key certificate corresponding to the public key comprises the private key signature.
A third aspect of the present application provides a trusted platform comprising: at least one processor and a memory, the memory storing computer-executable instructions executable on the processor, the receiving device performing the method according to the first aspect or any one of the possible implementations of the first aspect when the computer-executable instructions are executed by the processor.
A fourth aspect of the present application provides a chip or a chip system, where the chip or the chip system includes at least one processor and a communication interface, where the communication interface and the at least one processor are interconnected by a line, and the at least one processor is configured to execute a computer program or instructions to perform the method for generating a key of a trusted chip described in any one of the possible implementation manners of the first aspect to the first aspect;
the communication interface in the chip may be an input/output interface, a pin, a circuit, or the like.
In one possible implementation, the chip or chip system described above in this application further comprises at least one memory having instructions stored therein. The memory may be a storage unit inside the chip, such as a register, a cache, etc., or may be a storage unit of the chip (e.g., a read-only memory, a random access memory, etc.).
A fifth aspect of the embodiments of the present application provides a computer storage medium, where the computer storage medium is used to store computer software instructions for the trusted chip, and the computer storage medium includes a program designed for executing the trusted chip.
The trusted chip may be as described in the second aspect above.
A sixth aspect of embodiments of the present application provides a computer program product, where the computer program product includes computer software instructions, and the computer software instructions are loadable by a processor to implement the key generation method for the trusted chip in any of the first aspect.
According to the technical scheme, the method has the following advantages:
in the embodiment of the invention, a trusted chip generates a first key seed through a first random number input by a platform, and the first random number and a second random number generated by a trusted chip random number generator acquire a new random number, and update a preset second key seed of the trusted chip according to the new random number, then generate a root key according to the first key seed and the second key seed, and then generate a target key according to the root key and the new random number; therefore, the first random number input by the user participates in each link of password generation, the key generation process of the trusted chip is more unpredictable, the confidentiality of the key generated by the trusted chip is improved, and the reliability and the safety of the trusted chip are improved.
Drawings
Fig. 1 is a schematic structural diagram of a storage key hierarchy according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a key generation method of a trusted chip according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a trusted chip according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a trusted platform provided in an embodiment of the present application.
Detailed Description
The embodiment of the application provides a secret key generation method of a trusted chip and related equipment thereof, which are used for reducing the dependence of the generation of the secret key in the trusted chip on a chip manufacturer, so that the trusted chip generates the secret key which is less easy to know, and the security performance of the trusted chip is improved.
With the continuous development of network application and electronic commerce, the security problem of a computer system is increasingly highlighted, the existing computer system and the attack protection means thereof cannot meet the requirement of application on security, in order to improve the security protection capability of a computer, a TCG organization provides a concept of a trusted computing platform, aims to strengthen the security of computing environments on mutually independent computing platforms and strengthen the system security from the architecture of the computing platforms.
The existing computer security thought is that some security layers are added between a computer and an external network for protection, such as means of passwords, encryption, anti-virus and the like, and the existing computer security thought belongs to a passive scheme, and the security layers are required to be enhanced or added when new virus threats or intrusion occur; the trusted computing platform needs to have the following functions: strict mutual authentication exists among elements in the trusted computing platform, the system is started from a trusted trust source, Basic Input Output System (BIOS) software, an operating system loading module, an operating system and the like are verified in sequence, and therefore software in a trusted computing starting chain is guaranteed not to be tampered; secondly, the trusted computing platform has different authentication modes for the user identity, the traditional mode is authentication by relying on user login provided by an operating system, the user name and the password are easy to copy, and the software loading operation before the operating system is started cannot be controlled, so that the authentication is not safe enough, the trusted platform authenticates the user by combining with the BIOS in the hardware, and the identity information of the user is extracted from the BIOS, so that the user identity authentication is not dependent on the operating system any more, and the counterfeiting of the identity information of the user is more difficult; finally, the trusted computing platform has the unique identity mark on the network, and the trusted computing platform with the unique identity certificate issued by the authority organization can accurately provide the identity certificate of the trusted computing platform, so that a credit basis is established for network application.
A Trusted Platform Module (TPM) is a core component of a trusted computing platform, and is a trusted chip that is planted inside a computer and provides a trusted root, and the trusted chip can independently perform key generation, encryption and decryption, and has an independent processor and a storage unit inside; the processor is used for generating various types of passwords and encrypting and decrypting input data, and the storage unit can store keys and characteristic data and provide encryption and security authentication services for the computer; specifically, the trusted chip plays a role of a safe case, the most important password data is stored in the security chip, the security chip is communicated with a main processor of a computer and the like through a system management bus, and then various security protection works are completed by matching with management software; because the secret key is stored in the credible chip, the operations of encrypting and decrypting the data are operated in the credible chip, and therefore the data cannot be decrypted even if stolen, so that the data privacy can be protected, and the data security is improved.
Wherein, the TPM is kept in control of a series of keys, and multiple key hierarchies, illustratively including a storage key hierarchy and an endorsement key hierarchy, can be maintained within the trusted chip; fig. 1 is a schematic structural diagram of a storage key hierarchy according to an embodiment of the present disclosure; as shown in fig. 1, the storage key hierarchy is derived from a Storage Root Key (SRK), the SRK is derived downwards, a child node key is generated from a parent node key, and a plurality of storage keys are generated to encrypt various data, including encrypting data in a memory and encrypting hardware; therefore, important data on the trusted computing platform are encrypted through the TPM, and since the encryption and decryption processes of the data are all performed in the trusted chip and the storage key is not output externally, even if other platforms steal the data of the trusted platform, the data cannot be decrypted, and the trusted chip protects the data security on the trusted platform.
Specifically, the storage root key is determined by a storage key seed preset by a chip manufacturer, the trusted chip comprises a random number generator, the random number generator is used for generating random numbers, then the trusted chip generates a plurality of storage root keys SRK according to the storage key seed and the random numbers, then the trusted chip acquires the random numbers again, and sequentially generates a plurality of storage keys downwards according to the SRK and the random numbers.
The endorsement key hierarchy is derived from an Endorsement Key (EK), which is the most core key in the TPM and is generated by a chip manufacturer when producing a secure chip as a permanent identity of a platform; generally, an endorsement key is a public and private key pair with a specific bit length, and in consideration of security and privacy protection, generally, the EK is not directly used for identity authentication, but an Attestation Identity Key (AIK) is generated according to the EK and a random number, the AIK is used for proving the state and configuration of a trusted platform to another party without revealing the identity of the platform, and the other party determines whether the trusted platform is trusted according to the state and configuration; namely, the AIK is a signature key, and the TPM uses the AIK to prove the identity of the TPM, namely, all entities signed by the AIK indicate that the entities are trusted after being processed by the TPM. For example, a trusted platform may have multiple AIKs, and although the multiple AIKs are generated according to the EK, the generated AIKs do not contain any privacy information of the platform or the EK, thereby improving the security of the system.
The AIK is a pair of public and private keys, wherein in the pair of public and private keys, the public key is used for encrypting data, and the private key is used for decrypting the data; when the two platforms carry out data interaction, the first platform encrypts data by using a public key of the other side and transmits the encrypted data to the second platform, and the second platform decrypts the encrypted data by using a private key of the second platform to finish the data interaction; if the first platform wants to know whether the second platform is credible, the first platform needs to judge through a public key certificate provided by the second platform; specifically, the public key certificate is issued by a trusted third party, the trusted third party can acquire the endorsement key certificate of the second platform to determine whether the second platform is the trusted platform, if the trusted third party acquires the endorsement key certificate of the second platform, the second platform is proved to be trusted, and then the public key certificate is provided for the public key generated by the second platform; the first platform can know that the second platform is a trusted platform according to the public key certificate.
In order to prevent the masquerading of the public key certificate, the second platform also needs to sign the public key certificate, and illustratively, the public key certificate can be signed by using a private key, and the public key certificate is proved to come from the second platform, so that the first platform can encrypt data by using the public key according to the public key certificate with the digital signature, and transmit the encrypted data to the second platform, and the data transmission process is completed.
However, no matter the storage root key or the endorsement key is provided by the chip manufacturer in advance, so the trusted identity certificate of the trusted chip is excessively dependent on the chip manufacturer, a user cannot completely trust the trusted identity EK provided by the chip manufacturer, meanwhile, the random number generator is excessively dependent on hardware facilities, and cannot actually and completely generate the "random number", and the chip manufacturer can easily know the "random number" according to the internal hardware structure of the chip manufacturer, so the storage key generated according to the storage root key is likely to be leaked, therefore, the credibility of the trusted chip is greatly reduced, how to reduce the dependence of the trusted chip on the chip manufacturer becomes a problem which needs to be solved urgently.
Fig. 2 is a schematic flowchart of a method for generating a secret key of a trusted chip according to an embodiment of the present application, and as shown in fig. 2, the method includes:
201. the trusted chip receives a first random number input by the platform.
The key generation of the trusted chip is interfered by a user, so that the trusted chip does not depend on a manufacturer of the trusted chip, but obtains keys of all levels required by the trusted chip during working according to the operation of the user. As will be appreciated, the generation of the key is derived from a random number; the trusted platform may provide a visual interface for a user to enter a first random number that is randomly entered by the user to affect key generation by the trusted chip.
202. And the trusted chip determines a first key seed according to the first random number.
The trusted chip determines a first key seed through a first random number, for example, the first key seed may be a first storage root key seed of a storage key hierarchy, and may also be a first endorsement key seed of an endorsement key hierarchy; it can be understood that different types of key seeds are generated by different methods, and the trusted chip can generate the first storage root key seed and the first endorsement key seed by different generation methods through the first random number once input by the user; the first storage root key seed and the first endorsement key seed may also be generated according to the first random number input by the user twice, which is not limited specifically.
203. And the trusted chip generates a root key according to the first key seed and the second key seed.
The second key seed may be a second storage root key seed preset and generated by a chip manufacturer, or a second endorsement key seed preset and generated by the chip manufacturer; for example, the trusted chip may perform calculation processing on the first storage root key seed and the second storage root key seed to obtain a new storage root key seed, and then generate a storage root key according to the new storage root key seed; the trusted chip can perform calculation processing on the first endorsement key seed and the second endorsement key seed to obtain a new endorsement key seed, and then generate the endorsement key according to the new endorsement key seed.
It can be understood that, the generation of the storage root key and the endorsement key requires not only the storage root key seed and the endorsement key seed, but also the participation of random numbers in the calculation, and for example, in the calculation of generating the storage root key and the endorsement key, the second random number generated by the random number generator may also be influenced according to the first random number input by the user, that is, a new random number is generated according to the first random number and the second random number; the trusted chip calculates the new random number and the new key seed to obtain a corresponding storage root key or an endorsement key;
for example, the new random number may also be updated with a second key seed provided by the chip manufacturer; the trusted chip determines a first key seed according to a first random number input by a user, updates a second key seed preset by a chip manufacturer according to the first random number, determines a new random number through the first random number and a second random number generated by a chip random number generator, and generates a corresponding root key according to the first key seed, the updated second key seed and the new random number, so that the first random number input by the user participates in each link of root key generation, and the confidentiality and unpredictability of the root key are improved.
204. And the trusted chip generates a target key according to a password generation algorithm and the root key.
The trusted chip can operate the root key through a password generation algorithm to obtain a plurality of keys; illustratively, part of the parameters of the key generation algorithm are also determined by random numbers; therefore, the trusted chip can determine the parameters of the key generation algorithm through the first random number input by the user, and then operate the root key according to the new key generation algorithm to obtain a plurality of target keys.
Illustratively, the root key is a storage root key, the trusted chip may further determine a new random number by using the first random number and the second random number, and update a part of parameters of a storage key generation algorithm according to the new random number; and then, the updated storage key generation algorithm is used for operating the storage root key to obtain a plurality of storage keys.
Illustratively, the root key is an endorsement key, the trusted chip can also determine a new random number through the first random number and the second random number, and update part of parameters of the certificate identity key generation algorithm according to the new random number; and then, the endorsement keys are operated by using the updated certificate identity key generation algorithm to obtain a plurality of certificate keys AIK.
It can be understood that the AIK also needs a trusted third party to provide an AIK certificate for the AIK, since the trusted third party may not trust the EK certificate of the endorsement key EK provided by the chip manufacturer, that is, the trusted third party cannot know the credibility of the trusted platform through the EK certificate, the trusted third party may sign the AIK through a new private key part of the EK generated by the first random number input by the user, and determine the credibility of the new EK by looking up the new signature, and provide the AIK certificate for the AIK according to the EK certificate carrying the signature of the private key of the user.
In the technical scheme provided by this embodiment, a trusted chip generates a first key seed by using a first random number input by a platform, and the first random number and a second random number generated by a trusted chip random number generator obtain a new random number, and updates a preset second key seed of the trusted chip according to the new random number, then generates a root key according to the first key seed and the second key seed, and then generates a target key according to the root key and the new random number; therefore, the first random number input by the user participates in each link of password generation, the key generation process of the trusted chip is more unpredictable, the confidentiality of the key generated by the trusted chip is improved, and the reliability and the safety of the trusted chip are improved.
Referring to fig. 3, a schematic structure diagram of a trusted chip 300 according to an embodiment of the present disclosure is shown. As shown in fig. 3, the trusted chip 300 includes:
a receiving module 301, configured to receive a first random number input by a platform;
a determining module 302, configured to determine a first key seed according to the first random number;
a processing module 303, configured to generate a root key according to the first key seed and the second key seed; and the second key seed is a key seed preset in the credible chip.
In an optional embodiment, the trusted chip includes a random number generator, and the determining module 302 is further configured to determine a second random number according to the first random number input by the platform and the random number generated by the random number generator, where the second random number is used to update the second key seed.
In an optional embodiment, the determining module 302 is further configured to generate an input parameter according to the first random number, where the input parameter is used to determine a password generation algorithm;
the processing module 303 is further configured to generate a destination key according to the password generation algorithm and the root key.
In an optional implementation manner, the processing module 303 is specifically configured to perform an operation on the root key and the second random number according to the password generation algorithm to generate the destination key.
In an optional embodiment, the first key seed is a first storage root key seed, and the second key seed is a second storage root key seed;
the processing module 303 is specifically configured to generate a storage root key according to the first storage root key seed and the second storage root key seed, where the storage root key is used to generate a storage key, and the storage key is used to encrypt data.
In an optional embodiment, the first key seed is a first endorsement key seed, and the second key seed is a second endorsement key seed;
the processing module 303 is specifically configured to generate an endorsement key according to the first endorsement key seed and the second endorsement key seed, where the endorsement key is used for authentication of the trusted chip.
In an optional embodiment, the processing module 303 is further configured to generate a public-private key pair according to the endorsement key; the public and private key pair comprises a public key and a private key, and a public key certificate corresponding to the public key comprises the private key signature.
Referring to fig. 4, a schematic structural diagram of a trusted platform provided in the embodiment of the present application includes a processor 401, a memory 402, and a communication interface 403.
In this embodiment, the processor 401 may execute the operations executed by the trusted chip in the embodiment shown in fig. 2, which is not described herein again.
In this embodiment, the specific functional module division in the processor 401 may be similar to the functional module division manner of the receiving module, the determining module, and the processing module described in fig. 3, and is not described herein again.
The embodiment of the present application further provides a chip or a chip system, where the chip or the chip system includes at least one processor and a communication interface, the communication interface and the at least one processor are interconnected by a line, and the at least one processor executes instructions or a computer program to perform one or more steps in the embodiment of the method shown in fig. 2, or an optional implementation manner thereof, so as to implement the functions of the trusted chip in the above method.
The communication interface in the chip may be an input/output interface, a pin, a circuit, or the like.
In a possible implementation, the chip or chip system described above further comprises at least one memory, in which instructions are stored. The memory may be a storage unit inside the chip, such as a register, a cache, etc., or may be a storage unit of the chip (e.g., a read-only memory, a random access memory, etc.).
The embodiment of the present application further provides a computer storage medium, where a computer program instruction for implementing the trusted chip function in the password generation method of the trusted chip provided by the embodiment of the present application is stored in the computer storage medium.
An embodiment of the present application further provides a computer program product, where the computer program product includes computer software instructions, and the computer software instructions may be loaded by a processor to implement the flow in the password generation method of the trusted chip shown in the above-mentioned figure.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and the like.
Claims (15)
1. A method for generating a key of a trusted chip is characterized by comprising the following steps:
the trusted chip receives a first random number input by the platform;
the trusted chip determines a first key seed according to the first random number;
the trusted chip generates a root key according to the first key seed and the second key seed; and the second key seed is a key seed preset in the credible chip.
2. The method of claim 1, wherein the trusted chip comprises a random number generator, the method further comprising:
and the trusted chip determines a second random number according to the first random number input by the platform and the random number generated by the random number generator.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
the trusted chip generates input parameters according to the first random number, and the input parameters are used for determining a password generation algorithm;
and the trusted chip generates a target key according to the password generation algorithm and the root key.
4. The method of claim 3, wherein the trusted chip generates a destination key according to the cryptographic generation algorithm and the root key, and comprises:
and the trusted chip operates the root key and the second random number according to the password generation algorithm to generate the target key.
5. The method according to any one of claims 1 to 4, wherein the first key seed is a first storage root key seed, the second key seed is a second storage root key seed, and the generating, by the trusted chip, a root key according to the first key seed and the second key seed includes:
and the trusted chip generates a storage root key according to the first storage root key seed and the second storage root key seed, wherein the storage root key is used for generating a storage key, and the storage key is used for encrypting data.
6. The method according to any one of claims 1 to 4, wherein the first key seed is a first endorsement key seed, the second key seed is a second endorsement key seed, and the generating, by the trusted chip, a root key according to the first key seed and the second key seed comprises:
and the trusted chip generates an endorsement key according to the first endorsement key seed and the second endorsement key seed, wherein the endorsement key is used for the authentication of the trusted chip.
7. The method of claim 6, further comprising:
the trusted chip generates a public and private key pair according to the endorsement key; the public and private key pair comprises a public key and a private key, and a public key certificate corresponding to the public key comprises the private key signature.
8. A trusted chip, wherein the trusted chip comprises:
the receiving module is used for receiving a first random number input by the platform;
a determining module, configured to determine a first key seed according to the first random number;
the processing module is used for generating a root key according to the first key seed and the second key seed; and the second key seed is a key seed preset in the credible chip.
9. The trusted chip of claim 8, wherein the trusted chip comprises a random number generator, and the determining module is further configured to determine a second random number according to the first random number input by the platform and the random number generated by the random number generator, and the second random number is used to update the second key seed.
10. The trusted chip according to claim 8 or 9, wherein the determining module is further configured to generate an input parameter according to the first random number, the input parameter being used to determine a password generation algorithm;
and the processing module is also used for generating a target key according to the password generation algorithm and the root key.
11. The trusted chip according to claim 10, wherein the processing module is specifically configured to perform an operation on the root key and the second random number according to the password generation algorithm to generate the destination key.
12. The trusted chip according to any one of claims 8 to 11, wherein the first key seed is a first storage root key seed, and the second key seed is a second storage root key seed;
the processing module is specifically configured to generate a storage root key according to the first storage root key seed and the second storage root key seed, where the storage root key is used to generate a storage key, and the storage key is used to encrypt data.
13. The trusted chip according to any one of claims 8 to 11, wherein the first key seed is a first endorsement key seed, and the second key seed is a second endorsement key seed;
the processing module is specifically configured to generate an endorsement key according to the first endorsement key seed and the second endorsement key seed, where the endorsement key is used for authentication of the trusted chip.
14. The trusted chip of claim 13, wherein said processing module is further configured to generate a public-private key pair from said endorsement key; the public and private key pair comprises a public key and a private key, and a public key certificate corresponding to the public key comprises the private key signature.
15. A computer-readable storage medium storing one or more computer-executable instructions, wherein when the computer-executable instructions are executed by a processor, the processor performs the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010899478.8A CN114124366A (en) | 2020-08-31 | 2020-08-31 | Key generation method of trusted chip and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010899478.8A CN114124366A (en) | 2020-08-31 | 2020-08-31 | Key generation method of trusted chip and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114124366A true CN114124366A (en) | 2022-03-01 |
Family
ID=80360117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010899478.8A Pending CN114124366A (en) | 2020-08-31 | 2020-08-31 | Key generation method of trusted chip and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124366A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117375804A (en) * | 2023-12-05 | 2024-01-09 | 飞腾信息技术有限公司 | Key derivation method, related equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102307095A (en) * | 2011-04-27 | 2012-01-04 | 上海动联信息技术有限公司 | Injection and deformation method for seed key of dynamic token |
| CN105718794A (en) * | 2016-01-27 | 2016-06-29 | 华为技术有限公司 | Safety protection method and system for virtual machine based on VTPM |
| CN107534551A (en) * | 2015-07-30 | 2018-01-02 | 慧与发展有限责任合伙企业 | Encryption data |
| US20180234255A1 (en) * | 2016-12-15 | 2018-08-16 | Alibaba Group Holding Limited | Method and system for distributing attestation key and certificate in trusted computing |
| CN108510018A (en) * | 2017-02-27 | 2018-09-07 | 华大半导体有限公司 | A kind of safe RFID electronic label Application issuance system and its apparatus |
| CN110351077A (en) * | 2019-05-30 | 2019-10-18 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of data encryption |
| CN110874478A (en) * | 2018-08-29 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Key processing method and device, storage medium and processor |
-
2020
- 2020-08-31 CN CN202010899478.8A patent/CN114124366A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102307095A (en) * | 2011-04-27 | 2012-01-04 | 上海动联信息技术有限公司 | Injection and deformation method for seed key of dynamic token |
| CN107534551A (en) * | 2015-07-30 | 2018-01-02 | 慧与发展有限责任合伙企业 | Encryption data |
| CN105718794A (en) * | 2016-01-27 | 2016-06-29 | 华为技术有限公司 | Safety protection method and system for virtual machine based on VTPM |
| US20180234255A1 (en) * | 2016-12-15 | 2018-08-16 | Alibaba Group Holding Limited | Method and system for distributing attestation key and certificate in trusted computing |
| CN108510018A (en) * | 2017-02-27 | 2018-09-07 | 华大半导体有限公司 | A kind of safe RFID electronic label Application issuance system and its apparatus |
| CN110874478A (en) * | 2018-08-29 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Key processing method and device, storage medium and processor |
| CN110351077A (en) * | 2019-05-30 | 2019-10-18 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of data encryption |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117375804A (en) * | 2023-12-05 | 2024-01-09 | 飞腾信息技术有限公司 | Key derivation method, related equipment and storage medium |
| CN117375804B (en) * | 2023-12-05 | 2024-02-23 | 飞腾信息技术有限公司 | Key derivation method, related equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10482291B2 (en) | Secure field-programmable gate array (FPGA) architecture | |
| Cohney et al. | Pseudorandom black swans: Cache attacks on CTR_DRBG | |
| US20050283826A1 (en) | Systems and methods for performing secure communications between an authorized computing platform and a hardware component | |
| CN102571329B (en) | Password key management | |
| WO2017147503A1 (en) | Techniques for confidential delivery of random data over a network | |
| WO2006023151A2 (en) | Method of delivering direct proof private keys to devices using an on-line service | |
| US20180241560A1 (en) | Device attestation | |
| JP2017034713A (en) | Cryptographic algorithm fault protection | |
| KR20110035573A (en) | Method for providing safety of virtual machine installation in cloud computing environment | |
| CN110855667B (en) | Block chain encryption method, device and system | |
| CN114679270A (en) | Data cross-domain encryption and decryption method based on privacy calculation | |
| CN114124366A (en) | Key generation method of trusted chip and related equipment | |
| WO2009109811A1 (en) | Platform security model for networking solution platforms | |
| KR20140071775A (en) | Cryptography key management system and method thereof | |
| US20220198067A1 (en) | Privacy-enhanced computation via sequestered encryption | |
| JP4937921B2 (en) | A secure interface for generic key derivation function support | |
| Sarma | Security of hard disk encryption | |
| CN113508380A (en) | Method for terminal entity authentication | |
| Jain | Enhancing security in Tokenization using NGE for storage as a service | |
| Zhu et al. | Improvement upon mutual password authentication scheme | |
| Pham et al. | Novel PUF-Based Authentication Protocol for IoT Devices with Secure Boot and Fuzzy Matching | |
| Szefer | Basic Computer Security Concepts | |
| Warsi et al. | Secure Firmware based Lightweight Trusted Platform Module (FLTPM) for IoT Devices | |
| Graf et al. | A key management architecture for securing off-chip data transfers | |
| CN116888921A (en) | Privacy enhanced computing via quarantine encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220301 |