CN114157470A - Token management method and device - Google Patents

Token management method and device Download PDF

Info

Publication number
CN114157470A
CN114157470A CN202111431651.2A CN202111431651A CN114157470A CN 114157470 A CN114157470 A CN 114157470A CN 202111431651 A CN202111431651 A CN 202111431651A CN 114157470 A CN114157470 A CN 114157470A
Authority
CN
China
Prior art keywords
token
terminal
public key
information
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111431651.2A
Other languages
Chinese (zh)
Other versions
CN114157470B (en
Inventor
姜海辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huizhou TCL Mobile Communication Co Ltd
Original Assignee
Huizhou TCL Mobile Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huizhou TCL Mobile Communication Co Ltd filed Critical Huizhou TCL Mobile Communication Co Ltd
Priority to CN202111431651.2A priority Critical patent/CN114157470B/en
Publication of CN114157470A publication Critical patent/CN114157470A/en
Application granted granted Critical
Publication of CN114157470B publication Critical patent/CN114157470B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a token management method and a token management device; after receiving a terminal identifier and token authority requirement information sent by a target terminal, carrying out authority configuration on a token corresponding to the target terminal according to the token authority requirement information, configuring the token information, then screening out a public key corresponding to the terminal identifier from a preset public key set, encrypting the configured token information and the terminal identifier based on the public key, and distributing the encrypted token information to the target terminal so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in a terminal security space; the scheme can improve the security of token management.

Description

Token management method and device
Technical Field
The invention relates to the technical field of communication, in particular to a token management method and a token management device.
Background
In recent years, with the rapid development of internet technology, a device terminal can realize various functional requirements through various tokens (token tokens). Because the token relates to the control of the exposed port, the token needs to be managed safely, and the existing token management mode is mainly that the token server controls the token authority through a unified key. Therefore, all devices use a uniform key to perform security processing on the token, and the security management of one key is excessively depended on, thereby causing the security of token management to be reduced.
Disclosure of Invention
The embodiment of the invention provides a token management method and device, which can improve the security of token management.
A token management method, comprising:
receiving a terminal identifier and token authority requirement information sent by a target terminal;
according to the token permission requirement information, carrying out permission configuration on the token corresponding to the target terminal, and configuring token information;
screening out a public key corresponding to the terminal identification from a preset public key set, and encrypting the configured token information and the terminal identification based on the public key;
and distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in the terminal security space.
Optionally, an embodiment of the present application may further provide another token management method, including:
creating a key pair in a terminal, and storing the key pair in a terminal security space, wherein the key pair comprises a public key and a private key corresponding to the public key;
sending the public key and the terminal identification to a token server so that the token server can bind the public key and the terminal identification;
sending the terminal identification and the token permission requirement information to the token server so that the token server can generate encrypted token information based on the terminal identification and the token permission information;
and obtaining the encrypted token information generated by the token server, and storing the encrypted token information to the terminal security space.
Correspondingly, an embodiment of the present invention provides a token management apparatus, including:
the receiving unit is used for receiving the terminal identification and the token authority requirement information sent by the target terminal;
the configuration unit is used for carrying out authority configuration on the token corresponding to the target terminal according to the token authority requirement information and configuring the token information;
the encryption unit is used for screening out a public key corresponding to the terminal identifier from a preset public key set and encrypting the configured token information and the terminal identifier based on the public key;
and the sending unit is used for distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in the terminal security space.
Optionally, an embodiment of the present application may further provide a token management apparatus, including:
the system comprises a creating unit, a storage unit and a processing unit, wherein the creating unit is used for creating a key pair in a terminal and storing the key pair in a terminal security space, and the key pair comprises a public key and a private key corresponding to the public key;
the binding unit is used for sending the public key and the terminal identification to a token server so that the token server can bind the public key and the terminal identification;
the generating unit is used for sending the terminal identification and the token authority requirement information to the token server so that the token server can generate encrypted token information based on the terminal identification and the token authority information;
and the obtaining unit is used for obtaining the encrypted token information generated by the token server and storing the encrypted token information to the terminal security space.
Optionally, in some embodiments, the configuration unit may be specifically configured to determine token right configuration information of the target terminal according to the token right requirement information; screening out tokens corresponding to the target terminal from a preset token set based on the token permission configuration information, and determining the target permission of the tokens; and carrying out authority configuration on the token according to the target authority to obtain the configured token information.
Optionally, in some embodiments, the configuration unit may be specifically configured to generate a configuration state of the token according to the configured token information; sending the configuration state and the expiration time of the configuration state to the target terminal; the screening out the public key corresponding to the terminal identifier from the preset public key set comprises: and when a token authority information acquisition request sent by the target terminal is received within the expiration time, screening out a public key corresponding to the terminal identifier from a preset public key set.
Optionally, in some embodiments, the token management apparatus may further include a storage unit, where the storage unit is specifically configured to receive a terminal public key upload request sent by a production line server, where the terminal public key upload request carries an original terminal identifier and a target public key of at least one terminal acquired by the production line server; binding the original terminal identification and the target public key, and storing the bound target public key to a preset public key set; and sending the storage state of the bound target public key to the production line server.
Optionally, in some embodiments, the creating unit may be specifically configured to establish a communication connection with a production line server, and receive, through the communication connection, a key generation request sent by the production line server; inquiring a private key in the terminal security space based on the key generation request; when the terminal security space has the private key, taking the private key and a public key corresponding to the private key as a key pair; and when the private key does not exist in the terminal security space, generating a key pair in the terminal security space.
Optionally, in some embodiments, the binding unit may be specifically configured to receive a public key derivation request sent by the production line server; exporting the public key from the terminal security space according to the public key export request, and temporarily storing the exported public key; and sending the storage address of the temporary public key storage to the production line server, so that the production line server sends the derived public key and the terminal identifier to a token server based on the storage address.
Optionally, in some embodiments, the token management apparatus may further include an authentication unit, where the authentication unit is specifically configured to, when an authentication scenario of a terminal is started, read a private key corresponding to the authentication scenario in the terminal security space; decrypting the encrypted token information based on the private key, and identifying a target token of the authentication scene and the token authority of the target token in the decrypted token information; and performing authentication in the authentication scene according to the target token and the token authority.
In addition, an embodiment of the present invention further provides an electronic device, which includes a processor and a memory, where the memory stores an application program, and the processor is configured to run the application program in the memory to implement the token management method provided in the embodiment of the present invention.
In addition, the embodiment of the present invention further provides a computer-readable storage medium, where a plurality of instructions are stored, and the instructions are suitable for being loaded by a processor to perform the steps in any one of the token management methods provided by the embodiments of the present invention.
After receiving a terminal identifier and token authority requirement information sent by a target terminal, carrying out authority configuration on a token corresponding to the target terminal according to the token authority requirement information, configuring the token information, then screening out a public key corresponding to the terminal identifier from a preset public key set, encrypting the configured token information and the terminal identifier based on the public key, and distributing the encrypted token information to the target terminal so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in a terminal security space; according to the scheme, the authority configuration is carried out on the token corresponding to the target terminal through the token authority requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed to key control token protection of each independent device, the risk that all tokens are possibly injected randomly due to one key leakage is reduced to the maximum extent, and therefore the security of token management can be improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a token management system provided by an embodiment of the invention;
fig. 2 is a schematic view of a scenario of a token management method according to an embodiment of the present invention;
FIG. 3 is a flow chart of a token management method according to an embodiment of the present invention;
FIG. 4 is another flow chart of a token management method according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of querying a private key in a terminal security space according to an embodiment of the present invention;
fig. 6 is a schematic flowchart of a terminal exporting a public key according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of a process of acquiring encrypted token information by a terminal according to an embodiment of the present invention;
FIG. 8 is a schematic flow chart of a token management method according to an embodiment of the present invention;
FIG. 9 is an overall framework topology diagram of token management provided by an embodiment of the present invention;
FIG. 10 is a general flow diagram of a token management process provided by an embodiment of the invention;
fig. 11 is a schematic structural diagram of a first token management apparatus according to an embodiment of the present invention;
fig. 12 is another schematic structural diagram of the first token management apparatus according to the embodiment of the present invention;
fig. 13 is a schematic structural diagram of a second token management apparatus according to an embodiment of the present invention;
fig. 14 is a schematic structural diagram of a second token management apparatus according to an embodiment of the present invention;
fig. 15 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a token management method and device. The token management apparatus may be integrated in an electronic device, and the electronic device may be a server or a terminal. Specifically, the embodiments of the present invention provide a token management apparatus (may be referred to as a first token management apparatus for distinction) suitable for a first electronic device, and a token management apparatus (may be referred to as a second token management apparatus for distinction) suitable for a second electronic device.
The first electronic device may be a Network-side device such as a server, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a Network acceleration service (CDN), and a big data and artificial intelligence platform. The second electronic device may be a terminal, and the terminal may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, or the like, but is not limited thereto. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.
The embodiment of the present invention describes a token management method by taking a first electronic device as a server and a second electronic device as a terminal as an example.
For example, referring to fig. 1, an embodiment of the present invention provides a token management system, which includes a token server 10, a production line server 20, and a terminal 30, where the token server 10, the production line server 20, and the terminal 30 are connected via a network, for example, via an active or wireless network, and the like, and the token management apparatus may be integrated in the terminal, for example, in the form of a client.
The token server 10 may be configured to, after receiving the terminal identifier and the token permission requirement information sent by the target terminal, perform permission configuration on the token corresponding to the target terminal according to the token permission requirement information, configure the token information, then screen out a public key corresponding to the terminal identifier from a preset public key set, encrypt the configured token information and the terminal identifier based on the public key, and distribute the encrypted token information to the target terminal, so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in the terminal security space, and further may improve security of token management, as shown in fig. 2.
The terminal 30 may send the terminal identifier and the token permission requirement information to the token server, and receive the encrypted token information returned by the token server, where the terminal 30 may specifically be as follows:
creating a key pair in the terminal, storing the key pair in a terminal security space, and sending a public key in the key pair and a terminal identifier to a token server so that the token server can bind the public key and the terminal identifier; the method comprises the steps of sending a terminal identification and token permission requirement information to a token server so that the token server can generate encrypted token information based on the terminal identification and the token permission information, then obtaining the encrypted token information generated by the token server, and storing the encrypted token information to a terminal security space, thereby improving the security of token management.
The following are detailed below. It should be noted that the following description of the embodiments is not intended to limit the preferred order of the embodiments.
In this embodiment, the description will be made from the perspective of a first token management apparatus, where the first token management apparatus may be specifically integrated in an electronic device, the electronic device may be a server, the server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server that provides basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, Network service, cloud communication, middleware service, domain name service, security service, Network acceleration service (CDN), and a big data and artificial intelligence platform.
As shown in fig. 3, the specific flow of the token management method is as follows:
101. and receiving the terminal identification and the token authority requirement information sent by the target terminal.
The token permission requirement information is used to indicate requirement information of token permission of each token by the target terminal, for example, the requirement information may be information of permission type of one or more tokens (tokens).
The terminal identifier may be an International Mobile Equipment Identity (IMEI) of the terminal, may also be an Equipment Serial Number (SN), or may also be an IMEI and a SN.
The method for receiving the terminal identifier and the token authority requirement information may be various, and specifically may be as follows:
for example, the terminal identifier and the token permission requirement information sent by the target terminal may be directly received, or the terminal identifier and the token permission requirement information sent by the target terminal and received by the configuration server sent by the configuration server may be received, or when the number of the terminal identifier and the token permission requirement information is large or the memory is large, the storage address of the terminal identifier and the token permission requirement information sent by the target terminal or the configuration server may be received, and the terminal identifier and the token permission requirement information of the target terminal may be obtained based on the storage address.
102. And according to the token authority requirement information, carrying out authority configuration on the token corresponding to the target terminal to obtain the configured token information.
Where a token, also referred to as a token, may be an object representing the right to perform some operation,
the authority configuration method for the token of the target terminal may be various, and specifically may be as follows:
for example, token permission configuration information of the target terminal can be determined according to the token permission requirement information, tokens corresponding to the target terminal are screened out from a preset token set based on the token permission configuration information, the target permission of the tokens is determined, permission configuration is performed on the tokens according to the target permission, and the configured token information is obtained.
For example, a configuration permission policy can be extracted from the token permission requirement information and used as the token permission configuration information of the target terminal, or at least one token permission configuration item is identified from the token permission requirement information, basic token permission configuration information corresponding to the token permission configuration item is screened from a preset token permission configuration information set, and the basic token permission configuration information is fused to obtain the token permission configuration information of the target terminal.
After the token permission configuration information of the target terminal is determined, the token corresponding to the target terminal can be screened out from the preset token set based on the token permission configuration information, the target permission of the token is determined, various ways for screening out the token and determining the target permission of the token can be provided, for example, a token identifier of the token to be configured can be identified from the token permission configuration information, the token corresponding to the token identifier can be screened out from the preset token set, the token corresponding to the target terminal is obtained, then, the token permission set of the token to be configured is identified from the token permission configuration information, and the token permission set is matched with the token, so that the target permission of each token is obtained.
After the token is screened out and the target authority of the token is determined, authority configuration can be performed on the token, and the authority configuration mode can be various, for example, attribute information of the token can be obtained, the current authority of the token for a target terminal is identified in the attribute information, and the current authority is adjusted to the target authority, so that configured token information is obtained, or a candidate authority list of each token is obtained, the target authority is selected from the candidate authority list, a target authority list of each terminal is obtained, the target authority list and a terminal identifier are associated, and authority configuration is performed on the corresponding token based on the associated target authority list, so that configured token information is obtained.
Optionally, after the authority configuration is performed on the token according to the target right, and the configured token information is obtained, the configuration state and other information may be sent to the target terminal to prompt the configuration condition of the target terminal, and the prompting manner may be various, for example, the configuration state of the token may be generated according to the configuration token information, the configuration state and the expiration time of the configured token information are sent to the target terminal, when the token authority information obtaining request sent by the target terminal is received within the expiration time, the public key corresponding to the terminal identifier is screened out from the preset public key set, or the configuration state of the token may be generated according to the configuration token information, and the configuration state is returned to the configuration server, so that the configuration server sends the configuration state and the expiration time corresponding to the configuration state to the target terminal.
103. And screening out a public key corresponding to the terminal identifier from a preset public key set, and encrypting the configured token information and the terminal identifier based on the public key.
For example, a public key corresponding to the terminal identifier may be directly screened from a preset public key set, an encryption algorithm corresponding to the public key is obtained, based on the encryption algorithm, the configured token information and the terminal identifier are bound by using the public key, and encryption is performed to obtain encrypted token information.
Optionally, before the public key corresponding to the terminal identifier is screened out from the preset public key set, the public key of the terminal may also be acquired, and the public key exists in the terminal security space, and there may be various ways of acquiring and storing the public key of the terminal, for example, a terminal public key uploading request sent by a production line server may be received, the terminal public key uploading request carries an original terminal identifier and a target public key of at least one terminal collected by a production server, the original terminal identifier and the target public key are bound, and the bound target public key is stored in the preset public key set, and a storage state of the bound target public key is sent to the production line server.
The production line server can also be understood as a production line workstation, is deployed on a production line of the terminal, can be used as an edge service node to collect the original terminal identifier of each terminal and derive the public key of the terminal, and sends the collected original terminal identifier and the public key to the token server.
104. And distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in the terminal security space.
The encrypted token information can be understood as token information obtained by binding and encrypting various data and terminal identifiers in the token, and the encrypted token information is used for indicating a target token corresponding to the terminal identifier and information of authority information of the target token.
The terminal security space may be a partition having security characteristics in an eMMC (embedded Memory), which is a Replay Protected Memory Block (RPMB) of the terminal.
The method for distributing the encrypted token information to the target terminal may be various, and specifically may be as follows:
for example, the encrypted token information may be directly sent to the terminal, or an allocation identifier may be added to the encrypted token information, where the allocation identifier may be a terminal identifier of the target terminal, a terminal address of the target terminal, or a storage address of the encrypted token information, and an allocation request is generated, where the allocation request carries the allocation identifier, so that the target terminal obtains the encrypted token information based on the allocation identifier.
After the target terminal obtains the encrypted token information, the target terminal can decrypt the encrypted token information according to a private key corresponding to a public key in a terminal security space in an authentication scene, identify a target token corresponding to the authentication scene and a token authority of the target token in the decrypted token information, and authenticate the authentication scene according to the target token and the token authority.
As can be seen from the above, in the embodiment of the present application, after receiving the terminal identifier and the token authority requirement information sent by the target terminal, the authority configuration is performed on the token corresponding to the target terminal according to the token authority requirement information, the configured token information is configured, then, the public key corresponding to the terminal identifier is screened out from the preset public key set, the configured token information and the terminal identifier are encrypted based on the public key, and the encrypted token information is distributed to the target terminal, so that the target terminal decrypts the encrypted token information based on the private key corresponding to the public key in the terminal security space; according to the scheme, the authority configuration is carried out on the token corresponding to the target terminal through the token authority requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed to key control token protection of each independent device, the risk that all tokens are possibly injected randomly due to one key leakage is reduced to the maximum extent, and therefore the security of token management can be improved.
This embodiment will be described from the perspective of a second token management apparatus, which may be specifically integrated in an electronic device, and the electronic device may be a terminal or other devices; the terminal may include a tablet Computer, a notebook Computer, a Personal Computer (PC), a wearable device, a virtual reality device, or other intelligent devices capable of processing data.
A token management method, comprising:
the method comprises the steps of creating a key pair in a terminal, storing the key pair in a terminal security space, sending the public key and a terminal identification to a token server by the key pair including a public key and a private key corresponding to the public key so that the public key and the terminal identification can be bound by the token server, sending the terminal identification and token authority requirement information to the token server so that the token server can generate encrypted token information based on the terminal identification and the token authority information, obtaining the encrypted token information generated by the token server, and storing the encrypted token information to the terminal security space.
As shown in fig. 4, the specific flow of the information processing method is as follows:
201. a key pair is created within the terminal and stored in the terminal secure space.
The key pair comprises a public key and a private key corresponding to the public key. The key pair is obtained by an encryption algorithm, one of which is public to the outside and is called a public key; the other one itself holds, called the private key. The key pair derived by such an algorithm can be guaranteed to be unique worldwide. When using this key pair, if one of the keys is used to encrypt a piece of data, the other key must be used to decrypt the piece of data. If the public key is used for encrypting data, the data must be decrypted by the private key, if the data is encrypted by the private key, the data must also be decrypted by the public key, otherwise the decryption will not be successful
There may be multiple ways of creating the key pair in the terminal, and the ways may specifically be as follows:
for example, a communication connection is established with the production line server, a key generation request sent by the production line server is received through the communication connection, a private key is inquired in the terminal secure space based on the key generation request, when the private key exists in the terminal secure space, the private key and a public key corresponding to the private key are used as a key pair, and when the private key does not exist in the terminal secure space, the key pair is generated in the terminal secure space.
For example, the private key may be communicated with a secure Application (TA) through a secure communication program (CA) running in a normal word, and further, whether a generated private key exists under a TEE (Trusted execution environment) is queried through the TA, if the generated private key does not exist, the TA executes to generate a key pair, and then, the key pair is stored in the RPMB partition, and if the generated private key and the generated public key are directly returned to the CA as the key pair, which may be specifically shown in fig. 5.
When the terminal security space does not have the private key, there are various ways to generate the key pair in the terminal security space, for example, the key pair may be created by TA under the TEE of the terminal, or another security algorithm may be used to create the key pair in another area of the terminal, or the key pair creation information of the user may be received, and the key pair is created in the TEE based on the key pair creation information.
After the key pair is created in the terminal, the key pair may be stored in the terminal secure space in various ways, for example, the key pair may be directly stored in the RPMB, or the key pair may also be stored in a secure data bucket in a TEE environment.
202. And sending the public key and the terminal identification to a token server so that the token server can bind the public key and the terminal identification.
For example, a public key export request sent by the production line server may be received, a public key may be exported from the terminal secure space according to the public key export request, the exported public key may be temporarily stored, and a storage address where the public key is temporarily stored may be sent to the production line server, so that the production line server sends the exported public key to the token server based on the storage address.
Taking a terminal security space as an RPMB as an example, a process of deriving a public key may specifically be as shown in fig. 6, receiving a public key derivation request sent by a production line server, a CA initiating a request derivation, executing a derivation operation in a TEE environment, a TA deriving a public key from an RPMB partition, the TA returning a temporary storage location of the public key to the CA, the CA returning the temporary storage location to the production line server, the production line server obtaining the derived public key according to the temporary storage location, and sending the derived public key and a terminal identifier of the terminal to a token server. And after obtaining the public key and the terminal identification, the token server binds the public key and the terminal identification and stores the bound public key into a preset public key set.
203. And sending the terminal identification and the token authority requirement information to the token server so that the token server can generate the encrypted token information based on the terminal identification and the token authority information.
For example, the terminal identifier of the terminal may be acquired, and the terminal identifier and the token right requirement information may be directly sent to the token server, or when the terminal identifier and the token right requirement information have a large amount of memory, the storage address of the terminal identifier and the token right requirement information may be sent to the token server after the terminal identifier of the terminal is acquired, so that the token server acquires the terminal identifier and the token right requirement information according to the storage address.
For example, for the SN of the terminal, the SN of the terminal may be acquired through ADB shelldevise service, and the data may not be tampered, for the IMEI, an IMEI acquisition search may be submitted, the IMEI of the terminal may be retrieved in a secure memory (OTP), and the SN of the terminal and the IMEI of the terminal are used as the terminal identifier.
The token server receives the terminal identifier and the token permission requirement information, and then generates encrypted token information based on the terminal identifier and the token permission information, and the encrypted token information can be generated in various ways, for example, according to the token permission requirement information, authority setting is performed on a token corresponding to a target terminal to obtain configured token information, a public key corresponding to the terminal identifier is screened out from a preset public key set, and the configured token information and the terminal identifier are encrypted based on the public key to obtain the encrypted token information.
204. And obtaining encrypted token information generated by the token server, and storing the encrypted token storage information into a terminal security space.
For example, the encrypted token information sent by the token server may be directly obtained, or an allocation request sent by the token server may be received, where the allocation request carries an allocation identifier, a storage address or a download authority of the encrypted token information is extracted from the allocation identifier, and the encrypted token information is obtained based on the storage address or the download authority.
After the encrypted token information is obtained, the encrypted token information may be stored in a terminal security space, for example, the encrypted token information may be directly stored in an RPMB partition in a TEE security environment.
As shown in fig. 7, a user selects a page through a token permission of an applied APK to trigger a token permission information acquisition request, then sends an IMEI/SN of the terminal to the token server through the token permission acquisition request, the token server encrypts the SN and the configured token information through a public key corresponding to a terminal identifier to generate encrypted token information, then distributes the encrypted token information to a corresponding terminal, the terminal downloads the distributed encrypted token information through a public network, and the terminal stores the encrypted token information to a specific partition of the terminal.
Optionally, after the encrypted token storage information is stored in the terminal security space, authentication may also be performed in an authentication scenario, and the authentication manner may be multiple, for example, when the authentication scenario of the terminal is started, a private key corresponding to the authentication scenario is read in the terminal security space, the encrypted token information is decrypted based on the private key, a target token of the authentication scenario and a token authority of the target token are identified in the decrypted token information, and authentication is performed in the authentication scenario according to the target token and the token authority.
The types of the authentication scenarios may be various, and for example, the authentication scenarios may include, for example, network analysis package DIAG port opening, UART analysis and debugging boot anomaly analysis opening debugging information output, specific ROOT authority control debugging, and other similar controlled port authorities.
As can be seen from the above, in the embodiment of the application, a key pair is created in a terminal, and after the key pair is stored in a terminal security space, a public key and a terminal identifier in the key pair are sent to a token server, so that the token server binds the public key and the terminal identifier, and sends the terminal identifier and token authority requirement information to the token server, so that the token server generates encrypted token information based on the terminal identifier and the token authority information. Then, obtaining encrypted token information generated by the token server, and storing the encrypted token information to a terminal security space; according to the scheme, the terminal creates the key pair and then stores the key pair in the security space, so that the security of the private key is improved, the obtained encrypted token information is generated by the token server based on the terminal identification and the token authority information, and then the token protection is controlled through the private key stored in the security space of the terminal, so that the security of token management can be improved.
The method described in the above examples is further illustrated in detail below by way of example.
In this embodiment, a first token management device is specifically integrated in a first electronic device, the first electronic device is a server, a second token management device is integrated in a second electronic device, the second electronic device is a terminal, a terminal security space is an RPMB partition, a terminal identifier is an IMEI/SN, and a production line server is a production line workstation.
As shown in fig. 8, a token management method specifically includes the following steps:
301. the terminal creates a key pair within the terminal and stores the key pair in the RPBM partition.
For example, the terminal establishes communication connection with a production line workstation, receives a key generation request sent by the production line workstation through the communication connection, communicates with a TA through a CA operating in a normal word based on the key generation request, further queries whether a generated private key exists in an RPMB under the TEE through the TA, and when the private key does not exist in the RPMB, the terminal may create a key pair under the TEE of the terminal through the TA, or may create the key pair in other areas of the terminal by using other security algorithms, or may also receive key pair creation information of a user, and create the key pair in the TEE based on the key pair creation information. When the RPMB has a private key, the generated private key and the public key are directly returned to the CA as a key pair.
After the terminal creates the key pair, the key pair is stored in the RPMB, or the key pair can also be stored in a secure data bucket in a TEE environment.
302. The terminal sends the public key and the terminal identification to the token server.
For example, the terminal may receive a public key derivation request sent by the production line workstation, derive a public key from the RPBM partition according to the public key derivation request, temporarily store the derived public key, and send a storage address of the temporary storage of the public key to the production line workstation, so that the production line workstation sends the derived public key to the token server based on the storage address.
303. And the token server binds the terminal identification and the public key and stores the bound public key into a preset public key set.
For example, the token server may receive a terminal public key upload request sent by the production line workstation, where the terminal public key upload request carries an original terminal identifier and a target public key of at least one terminal collected by the production server, bind the original terminal identifier and the target public key, store the bound target public key in a preset public key set, and send a storage state of the bound target public key to the production line workstation.
304. And the terminal sends the terminal identification and the token authority requirement information to the token server.
For example, the terminal may obtain the IMEI through the ADB shelldevise service, retrieve the IMEI of the terminal from the OTP, and use the SN and the IMEI of the terminal as the terminal identifier. And then, sending the terminal identification and the token permission requirement information to a token server, or sending the storage address of the terminal identification and the token permission requirement information to the token server after the terminal identification of the terminal is obtained when the terminal identification and the token permission requirement information have more memory, so that the token server obtains the terminal identification and the token permission requirement information according to the storage address.
305. And the token server performs authority configuration on the token corresponding to the target terminal according to the token authority requirement information to obtain the configured token information.
For example, the token server may extract a configuration authority policy from the token authority requirement information, and use the configuration authority policy as the token authority configuration information of the target terminal, or identify at least one token authority configuration item from the token authority requirement information, screen basic token authority configuration information corresponding to the token authority configuration item from a preset token authority configuration information set, and fuse the basic token authority configuration information to obtain the token authority configuration information of the target terminal.
The token server identifies token identifications needing to be configured in the token configuration permission information, screens out tokens corresponding to the token identifications from a preset token set to obtain tokens corresponding to the target terminal, then identifies token permission sets needing to be configured in the token configuration permission information, and matches the token permission sets with the tokens to obtain target permission of each token.
The token server obtains attribute information of the token, identifies the current authority of the token for a target terminal in the attribute information, and adjusts the current authority to the target authority, so as to obtain configured token information, or obtains a candidate authority list of each token, selects the target authority from the candidate authority list, obtains the target authority list of each terminal, associates the target authority list with a terminal identification, and configures the authority of the corresponding token based on the associated target authority list, so as to obtain configured token information.
Optionally, the token server may generate a configuration state of the token according to the configuration token information, send the configuration state and the expiration time of the configured token information to the target terminal, and screen out a public key corresponding to the terminal identifier from a preset public key set when receiving a token right information acquisition request sent by the target terminal within the expiration time, or may generate the configuration state of the token according to the configuration token information and return the configuration state to the configuration server, so that the configuration server sends the configuration state and the expiration time corresponding to the configuration state to the target terminal.
306. And the token server screens out the public key corresponding to the terminal identification from the preset public key set, and encrypts the configured token information and the terminal identification based on the public key.
For example, the token server may directly screen out a public key corresponding to the terminal identifier from a preset public key set, obtain an encryption algorithm corresponding to the public key, bind the configured token information and the terminal identifier with the public key based on the encryption algorithm, and encrypt the token information to obtain encrypted token information.
307. And the token server distributes the encrypted token information to the target terminal.
For example, the token server may directly send the encrypted token information to the terminal, or may add an allocation identifier to the encrypted token information, where the allocation identifier may be a terminal identifier of the target terminal, a terminal address of the target terminal, or a storage address of the encrypted token information, and generate an allocation request, where the allocation request carries the allocation identifier, so that the target terminal obtains the encrypted token information based on the allocation identifier.
308. And the terminal stores the encrypted token storage information into the RPBM partition.
For example, the terminal may directly store the encrypted token information to the RPMB partition in the TEE security environment.
Optionally, after storing the encrypted token storage information in the RPBM partition, when the authentication scenario of the terminal is started, the terminal reads a private key corresponding to the authentication scenario in the RPBM partition, decrypts the encrypted token information based on the private key, identifies the target token of the authentication scenario and the token authority of the target token in the decrypted token information, and performs authentication in the authentication scenario according to the target token and the token authority.
In the process of managing the token, when the terminal is a mobile phone terminal and the scene where the terminal is located is a production line scene, the public key can be transferred through a production line workstation, so that an overall framework topological graph for token management can be shown in fig. 9, testing and after-sales personnel open the mobile phone terminal, the mobile phone public key is led in through the production line workstation, then the mobile phone public key is stored in a token server, the token server can be called a token generation server, then a token manager authorizes and configures the token, the token server encrypts the configured token and a terminal identifier through the public key to obtain encrypted token information, and sends the encrypted token information to the terminal, and then the terminal stores the encrypted token information to a terminal security space.
In the process of managing the token, taking the terminal as a mobile phone terminal, taking a token server as a token generation server as an example, the process can be mainly divided into two stages, one stage is that the mobile phone terminal exports a public key to the token generation server through a production line workstation, the other stage is that the mobile phone terminal sends the IMEI/SN and the token permission requirement of the device to the token generation server or the token permission configuration server, the permission of the token is configured, then the token generation server encrypts according to the public key of the terminal and sends the encrypted token information to the terminal, which can be specifically shown in fig. 10, the description is performed on the above process, and the following 4 links are mainly included, and specifically, the following steps can be included:
(1) key generation and public key derivation for terminal equipment and production line workstation
The terminal needs to communicate with the mobile phone through ADB in the process of starting up, requests for key generation, completes RPMB safe partition storage by TA program at the terminal, and uses encrypted key information at the later stage, and exports and stores the corresponding public key in the main steps: 1.1-3.3;
(2) uploading the public key information of the equipment to a token generation server
The production line workstation uploads the IMEI information provided by the terminal and the derived public key information to a token generation server for dynamically generating authority token data needing authorization in the later period, and the main steps are 4.1-4.3;
(3) application configuration for authority token of terminal
The terminal equipment needs to obtain the authority token and needs to be registered and registered, a special strategy administrator configures the authority token in a token generation server by using an equipment SN, and the terminal equipment finishes authority token data communication downloading on a public network through APK operation in the later period, wherein the main steps are 5.1-5.6;
(4) terminal storage authority token data
The terminal equipment communicates with the token generation server under the operation of a user in a public network environment, the server inquires public key information prestored in the terminal equipment according to the provided equipment IMEI information and binds the public key information according to the provided SN information to generate authority token encrypted data, and the main steps are 6.1-6.5.
As can be seen from the above, in the embodiment of the present application, after the token server receives the terminal identifier and the token permission requirement information sent by the target terminal, the token corresponding to the target terminal is configured with permission according to the token permission requirement information, then the public key corresponding to the terminal identifier is screened out from the preset public key set, the configured token information and the terminal identifier are encrypted based on the public key, and the encrypted token information is distributed to the target terminal, so that the target terminal decrypts the encrypted token information based on the private key corresponding to the public key in the terminal security space; according to the scheme, the authority configuration is carried out on the token corresponding to the target terminal through the token authority requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed to key control token protection of each independent device, the risk that all tokens are possibly injected randomly due to one key leakage is reduced to the maximum extent, and therefore the security of token management can be improved.
In order to better implement the above method, an embodiment of the present invention provides a token management apparatus (i.e., a first token management apparatus), where the first token management apparatus may be integrated in a server, and the server may be a single server or a server cluster formed by multiple servers.
For example, as shown in fig. 11, the first token management apparatus may include a receiving unit 401, a configuration unit 402, an encryption unit 403, and a transmitting unit 404, as follows:
(1) a receiving unit 401;
the receiving unit 401 is configured to receive the terminal identifier and the token right requirement information sent by the target terminal.
For example, the receiving unit 401 may be specifically configured to receive the terminal identifier and the token permission requirement information sent by the target terminal, or receive the terminal identifier and the token permission requirement information sent by the target terminal and received by the configuration server, or, when the number of the terminal identifiers and the token permission requirement information is large or the memory is large, may also receive the storage address of the terminal identifier and the token permission requirement information sent by the target terminal or the configuration server, and obtain the terminal identifier and the token permission requirement information of the target terminal based on the storage address.
(2) A configuration unit 402;
a configuration unit 402, configured to perform permission configuration on the token corresponding to the target terminal according to the token permission requirement information, and configure the configured token information.
For example, the configuration unit 402 may be specifically configured to determine token permission configuration information of the target terminal according to the token permission requirement information, screen out a token corresponding to the target terminal from a preset token set based on the token permission configuration information, determine a target permission of the token, and perform permission configuration on the token according to the target permission to obtain the configured token information.
(3) An encryption unit 403;
and an encrypting unit 403, configured to screen out a public key corresponding to the terminal identifier from a preset public key set, and encrypt the configured token information and the terminal identifier based on the public key.
For example, the encryption unit 403 may be specifically configured to screen out a public key corresponding to the terminal identifier from a preset public key set, obtain an encryption algorithm corresponding to the public key, bind the configured token information and the terminal identifier with the public key based on the encryption algorithm, and encrypt the token information to obtain encrypted token information.
(4) A transmission unit 404;
a sending unit 404, configured to distribute the encrypted token information to the target terminal, so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in the terminal security space.
For example, the sending unit 404 may be specifically configured to send the encrypted token information to the terminal, or may further add, to the encrypted token information, an allocation identifier, where the allocation identifier may be a terminal identifier of the target terminal, a terminal address of the target terminal, or a storage address of the encrypted token information, and generate an allocation request, where the allocation request carries the allocation identifier, so that the target terminal obtains the encrypted token information based on the allocation identifier.
Optionally, the first token management apparatus may further include a storage unit 405, as shown in fig. 12, which may specifically be as follows:
the storage unit 405 is configured to bind the terminal identifier of the target terminal and the public key, and store the bound public key in a preset public key set.
For example, the storage unit 405 may be specifically configured to receive a terminal public key upload request sent by the production line server, where the terminal public key upload request carries an original terminal identifier and a target public key of at least one terminal acquired by the production server, bind the original terminal identifier and the target public key, store the bound target public key to a preset public key set, and send a storage state of the bound target public key to the production line server.
In a specific implementation, the above units may be implemented as independent entities, or may be combined arbitrarily to be implemented as the same or several entities, and the specific implementation of the above units may refer to the foregoing method embodiments, which are not described herein again.
As can be seen from the above, in the embodiment of the application, after the receiving unit 401 receives the terminal identifier and the token permission requirement information sent by the target terminal, the configuration unit 402 performs permission configuration on the token corresponding to the target terminal according to the token permission requirement information, the configured token information is the token information, then the encryption unit 402 screens out the public key corresponding to the terminal identifier from the preset public key set, and encrypts the configured token information and the terminal identifier based on the public key, and the sending unit 404 distributes the encrypted token information to the target terminal, so that the target terminal decrypts the encrypted token information based on the private key corresponding to the public key in the terminal security space; according to the scheme, the authority configuration is carried out on the token corresponding to the target terminal through the token authority requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed to key control token protection of each independent device, the risk that all tokens are possibly injected randomly due to one key leakage is reduced to the maximum extent, and therefore the security of token management can be improved.
In order to better implement the above method, the embodiment of the present invention further provides a token management apparatus (i.e. a second token management apparatus), which may be integrated in a terminal, where the terminal may include a tablet computer, a notebook computer, and/or a personal computer.
For example, as shown in fig. 13, the second token management apparatus may include a creating unit 501, a binding unit 502, a generating unit 503, and an obtaining unit 504, as follows:
(1) a creation unit 501;
a creating unit 501, configured to create a key pair in the terminal, and store the key pair in a terminal secure space, where the key pair includes a public key and a private key corresponding to the public key.
For example, the creating unit 501 may be specifically configured to establish a communication connection with a production line server, receive a key generation request sent by the production line server through the communication connection, query a private key in a terminal secure space based on the key generation request, use the private key and a public key corresponding to the private key as a key pair when the private key exists in the terminal secure space, and generate the key pair in the terminal secure space when the private key does not exist in the terminal secure space.
(2) A binding unit 502;
a binding unit 502, configured to send the public key and the terminal identifier to the token server, so that the token server binds the public key and the terminal identifier.
For example, the binding unit 502 may be specifically configured to receive a public key derivation request sent by the production line server, derive a public key from the terminal secure space according to the public key derivation request, temporarily store the derived public key, and send a storage address of the temporary storage of the public key to the production line server, so that the production line server sends the derived public key to the token server based on the storage address.
(3) A generation unit 503;
a generating unit 503, configured to send the terminal identifier and the token authority requirement information to the token server, so that the token server generates encrypted token information based on the terminal identifier and the token authority information.
For example, the generating unit 503 may be specifically configured to obtain a terminal identifier of the terminal, and directly send the terminal identifier and the token right requirement information to the token server, or, when the terminal identifier and the token right requirement information have a large amount of memory, after obtaining the terminal identifier of the terminal, send a storage address of the terminal identifier and the token right requirement information to the token server, so that the token server obtains the terminal identifier and the token right requirement information according to the storage address.
(4) An acquisition unit 504;
an obtaining unit 504, configured to obtain token information generated by the token server after encryption, and store the encrypted token information in the terminal security space.
For example, the obtaining unit 504 may be specifically configured to directly obtain the encrypted token information sent by the token server, or may also receive an allocation request sent by the token server, where the allocation request carries an allocation identifier, extract a storage address or a download authority of the encrypted token information from the allocation identifier, and obtain the encrypted token information based on the storage address or the download authority.
Optionally, the second token management apparatus may further include an authentication unit 505, as shown in fig. 14, which may specifically be as follows:
and an authentication unit 506, configured to perform authentication in an authentication scenario based on the encrypted token information when the authentication scenario of the terminal is started.
For example, the authentication unit 506 may be specifically configured to, when an authentication scenario of the terminal is started, read a private key corresponding to the authentication scenario in a terminal security space, decrypt the encrypted token information based on the private key, identify a target token of the authentication scenario and a token authority of the target token in the decrypted token information, and perform authentication in the authentication scenario according to the target token and the token authority.
In a specific implementation, the above units may be implemented as independent entities, or may be combined arbitrarily to be implemented as the same or several entities, and the specific implementation of the above units may refer to the foregoing method embodiments, which are not described herein again.
As can be seen from the above, in this embodiment, after the creating unit 501 creates a key pair in the terminal and stores the key pair in the terminal secure space, the binding unit 502 sends the public key and the terminal identifier in the key pair to the token server, so that the token server binds the public key and the terminal identifier, and the generating unit 503 sends the terminal identifier and the token authority requirement information to the token server, so that the token server generates the encrypted token information based on the terminal identifier and the token authority information. Then, the obtaining unit 504 obtains the encrypted token information generated by the token server, and stores the encrypted token information to the terminal security space; according to the scheme, the terminal creates the key pair and then stores the key pair in the security space, so that the security of the private key is improved, the obtained encrypted token information is generated by the token server based on the terminal identification and the token authority information, and then the token protection is controlled through the private key stored in the security space of the terminal, so that the security of token management can be improved.
An embodiment of the present invention further provides an electronic device, as shown in fig. 15, which shows a schematic structural diagram of the electronic device according to the embodiment of the present invention, specifically:
the electronic device may include components such as a processor 601 of one or more processing cores, memory 602 of one or more computer-readable storage media, a power supply 603, and an input unit 604. Those skilled in the art will appreciate that the electronic device configuration shown in fig. 15 does not constitute a limitation of the electronic device and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 601 is a control center of the electronic device, connects various parts of the whole electronic device by using various interfaces and lines, and performs various functions of the electronic device and processes data by operating or executing software programs and/or modules stored in the memory 602 and calling data stored in the memory 602, thereby performing overall monitoring of the electronic device. Optionally, processor 601 may include one or more processing cores; preferably, the processor 601 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 601.
The memory 602 may be used to store software programs and modules, and the processor 601 executes various functional applications and data processing by operating the software programs and modules stored in the memory 602. The memory 602 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the electronic device, and the like. Further, the memory 602 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 602 may also include a memory controller to provide the processor 601 with access to the memory 602.
The electronic device further comprises a power supply 603 for supplying power to the various components, and preferably, the power supply 603 is logically connected to the processor 601 through a power management system, so that functions of managing charging, discharging, power consumption, and the like are realized through the power management system. The power supply 603 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.
The electronic device may further include an input unit 604, and the input unit 604 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the electronic device may further include a display unit and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 601 in the electronic device loads the executable file corresponding to the process of one or more application programs into the memory 602 according to the following instructions, and the processor 601 runs the application program stored in the memory 602, thereby implementing various functions as follows:
after receiving a terminal identifier and token authority requirement information sent by a target terminal, authority configuration is carried out on a token corresponding to the target terminal according to the token authority requirement information, the configured token information is obtained, then a public key corresponding to the terminal identifier is screened out from a preset public key set, the configured token information and the terminal identifier are encrypted based on the public key, and the encrypted token information is distributed to the target terminal, so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in a terminal security space.
Alternatively, the first and second electrodes may be,
creating a key pair in the terminal, storing the key pair in a terminal security space, and sending a public key in the key pair and a terminal identifier to a token server so that the token server can bind the public key and the terminal identifier; and sending the terminal identification and the token permission requirement information to a token server so that the token server can generate encrypted token information based on the terminal identification and the token permission information, then acquiring the encrypted token information generated by the token server, and storing the encrypted token information to a terminal security space.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
As can be seen from the above, in the embodiment of the present invention, after receiving the terminal identifier and the token authority requirement information sent by the target terminal, the authority configuration is performed on the token corresponding to the target terminal according to the token authority requirement information, the configured token information is configured, then, the public key corresponding to the terminal identifier is screened out from the preset public key set, the configured token information and the terminal identifier are encrypted based on the public key, and the encrypted token information is distributed to the target terminal, so that the target terminal decrypts the encrypted token information based on the private key corresponding to the public key in the terminal security space; according to the scheme, the authority configuration is carried out on the token corresponding to the target terminal through the token authority requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed to key control token protection of each independent device, the risk that all tokens are possibly injected randomly due to one key leakage is reduced to the maximum extent, and therefore the security of token management can be improved.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.
To this end, the embodiment of the present invention provides a computer-readable storage medium, in which a plurality of instructions are stored, and the instructions can be loaded by a processor to execute the steps in any one of the token management methods provided by the embodiment of the present invention. For example, the instructions may perform the steps of:
after receiving a terminal identifier and token authority requirement information sent by a target terminal, authority configuration is carried out on a token corresponding to the target terminal according to the token authority requirement information, the configured token information is obtained, then a public key corresponding to the terminal identifier is screened out from a preset public key set, the configured token information and the terminal identifier are encrypted based on the public key, and the encrypted token information is distributed to the target terminal, so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in a terminal security space.
Alternatively, the first and second electrodes may be,
creating a key pair in the terminal, storing the key pair in a terminal security space, and sending a public key in the key pair and a terminal identifier to a token server so that the token server can bind the public key and the terminal identifier; and sending the terminal identification and the token permission requirement information to a token server so that the token server can generate encrypted token information based on the terminal identification and the token permission information, then acquiring the encrypted token information generated by the token server, and storing the encrypted token information to a terminal security space.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the computer-readable storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the computer-readable storage medium can execute the steps in any token management method provided in the embodiments of the present invention, the beneficial effects that can be achieved by any token management method provided in the embodiments of the present invention can be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
According to an aspect of the application, there is provided, among other things, a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the electronic device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the electronic device to perform the method provided in the various alternative implementations of the token management aspect or the token authority management aspect described above.
The token management method and apparatus provided by the embodiments of the present invention are described in detail above, and the principles and embodiments of the present invention are explained herein by applying specific examples, and the description of the embodiments is only used to help understanding the method and core ideas of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A token management method, comprising:
receiving a terminal identifier and token authority requirement information sent by a target terminal;
according to the token permission requirement information, carrying out permission configuration on the token corresponding to the target terminal, and configuring token information;
screening out a public key corresponding to the terminal identification from a preset public key set, and encrypting the configured token information and the terminal identification based on the public key;
and distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in the terminal security space.
2. The token management method according to claim 1, wherein the performing, according to the token permission requirement information, permission configuration on the token corresponding to the target terminal, where the configured token information includes:
determining token authority configuration information of the target terminal according to the token authority requirement information;
screening out tokens corresponding to the target terminal from a preset token set based on the token permission configuration information, and determining the target permission of the tokens;
and carrying out authority configuration on the token according to the target authority to obtain the configured token information.
3. The token management method according to claim 2, wherein the performing the authority configuration on the token according to the target authority, and after obtaining the configured token information, further comprises:
generating a configuration state of the token according to the configured token information;
sending the configuration state and the expiration time of the configuration state to the target terminal;
the screening out the public key corresponding to the terminal identifier from the preset public key set comprises: and when a token authority information acquisition request sent by the target terminal is received within the expiration time, screening out a public key corresponding to the terminal identifier from a preset public key set.
4. The token management method according to any one of claims 1 to 3, wherein before the screening out the public key corresponding to the terminal identifier from the preset public key set, the method further comprises:
receiving a terminal public key uploading request sent by a production line server, wherein the terminal public key uploading request carries an original terminal identifier and a target public key of at least one terminal collected by the production line server;
binding the original terminal identification and the target public key, and storing the bound target public key to a preset public key set;
and sending the storage state of the bound target public key to the production line server.
5. A token management method, comprising:
creating a key pair in a terminal, and storing the key pair in a terminal security space, wherein the key pair comprises a public key and a private key corresponding to the public key;
sending the public key and the terminal identification to a token server so that the token server can bind the public key and the terminal identification;
sending the terminal identification and the token permission requirement information to the token server so that the token server can generate encrypted token information based on the terminal identification and the token permission information;
and obtaining the encrypted token information generated by the token server, and storing the encrypted token information to the terminal security space.
6. The token management method of claim 5, wherein creating a key pair in the terminal comprises:
establishing communication connection with a production line server, and receiving a key generation request sent by the production line server through the communication connection;
inquiring a private key in the terminal security space based on the key generation request;
when the terminal security space has the private key, taking the private key and a public key corresponding to the private key as a key pair;
and when the private key does not exist in the terminal security space, generating a key pair in the terminal security space.
7. The token management method of claim 5, wherein sending the public key and the terminal identification to the server comprises:
receiving a public key export request sent by the production line server;
exporting the public key from the terminal security space according to the public key export request, and temporarily storing the exported public key;
and sending the storage address of the temporary public key storage to the production line server, so that the production line server sends the derived public key and the terminal identifier to a token server based on the storage address.
8. The token management method of claim 5, wherein after storing the encrypted token information in the terminal secure space, the method further comprises:
when an authentication scene of a terminal is started, reading a private key corresponding to the authentication scene in a terminal security space;
decrypting the encrypted token information based on the private key, and identifying a target token of the authentication scene and the token authority of the target token in the decrypted token information;
and performing authentication in the authentication scene according to the target token and the token authority.
9. A token management apparatus, comprising:
the receiving unit is used for receiving the terminal identification and the token authority requirement information sent by the target terminal;
the configuration unit is used for carrying out authority configuration on the token corresponding to the target terminal according to the token authority requirement information and configuring the token information;
the encryption unit is used for screening out a public key corresponding to the terminal identifier from a preset public key set and encrypting the configured token information and the terminal identifier based on the public key;
and the sending unit is used for distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in the terminal security space.
10. A token management apparatus, comprising:
the system comprises a creating unit, a storage unit and a processing unit, wherein the creating unit is used for creating a key pair in a terminal and storing the key pair in a terminal security space, and the key pair comprises a public key and a private key corresponding to the public key;
the binding unit is used for sending the public key and the terminal identification to a token server so that the token server can bind the public key and the terminal identification;
the generating unit is used for sending the terminal identification and the token authority requirement information to the token server so that the token server can generate encrypted token information based on the terminal identification and the token authority information;
and the obtaining unit is used for obtaining the encrypted token information generated by the token server and storing the encrypted token information to the terminal security space.
CN202111431651.2A 2021-11-29 2021-11-29 Token management method and device Active CN114157470B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111431651.2A CN114157470B (en) 2021-11-29 2021-11-29 Token management method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111431651.2A CN114157470B (en) 2021-11-29 2021-11-29 Token management method and device

Publications (2)

Publication Number Publication Date
CN114157470A true CN114157470A (en) 2022-03-08
CN114157470B CN114157470B (en) 2024-01-19

Family

ID=80784159

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111431651.2A Active CN114157470B (en) 2021-11-29 2021-11-29 Token management method and device

Country Status (1)

Country Link
CN (1) CN114157470B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115412503A (en) * 2022-08-29 2022-11-29 中国工商银行股份有限公司 Cloud disk pushing method and device for electronic receipt, storage medium and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152366A (en) * 2013-04-10 2013-06-12 珠海市魅族科技有限公司 Method, terminal and server for obtaining terminal authorization
CN104821937A (en) * 2015-03-26 2015-08-05 腾讯科技(北京)有限公司 Token acquisition method, device and system
CN106411501A (en) * 2016-10-28 2017-02-15 美的智慧家居科技有限公司 Method and system for generating permission token and equipment
FR3041798A1 (en) * 2015-09-29 2017-03-31 Peugeot Citroen Automobiles Sa IMPROVED AUTHENTICATION METHOD AND DEVICE
WO2018076291A1 (en) * 2016-10-28 2018-05-03 美的智慧家居科技有限公司 Method and system for generating permission token, and device
CN111213339A (en) * 2017-10-19 2020-05-29 T移动美国公司 Authentication token with client key

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152366A (en) * 2013-04-10 2013-06-12 珠海市魅族科技有限公司 Method, terminal and server for obtaining terminal authorization
CN104821937A (en) * 2015-03-26 2015-08-05 腾讯科技(北京)有限公司 Token acquisition method, device and system
FR3041798A1 (en) * 2015-09-29 2017-03-31 Peugeot Citroen Automobiles Sa IMPROVED AUTHENTICATION METHOD AND DEVICE
CN106411501A (en) * 2016-10-28 2017-02-15 美的智慧家居科技有限公司 Method and system for generating permission token and equipment
WO2018076291A1 (en) * 2016-10-28 2018-05-03 美的智慧家居科技有限公司 Method and system for generating permission token, and device
CN111213339A (en) * 2017-10-19 2020-05-29 T移动美国公司 Authentication token with client key

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115412503A (en) * 2022-08-29 2022-11-29 中国工商银行股份有限公司 Cloud disk pushing method and device for electronic receipt, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN114157470B (en) 2024-01-19

Similar Documents

Publication Publication Date Title
US20230043229A1 (en) Enhanced monitoring and protection of enterprise data
EP3720093B1 (en) Resource obtaining method and apparatus and resource distribution method and apparatus
CN113010911A (en) Data access control method and device and computer readable storage medium
EP2550768A1 (en) System and methods for remote maintenance of client systems in an electronic network using software testing by a virtual machine
CN111538977B (en) Cloud API key management method, cloud platform access method, cloud API key management device, cloud platform access device and server
CN114239046A (en) Data sharing method
CN113259382B (en) Data transmission method, device, equipment and storage medium
CN112637156B (en) Key distribution method, device, computer equipment and storage medium
CN112507325A (en) Method, device, equipment and storage medium for managing equipment access authority
CN111461720A (en) Identity verification method and device based on block chain, storage medium and electronic equipment
CN113039542A (en) Secure counting in cloud computing networks
US11805182B2 (en) User profile distribution and deployment systems and methods
CN112311830B (en) Cloud storage-based Hadoop cluster multi-tenant authentication system and method
CN108521424A (en) Distributed data processing method towards heterogeneous terminals equipment
MX2007013310A (en) Method, system, and program product for connecting a client to a network.
CN114157470B (en) Token management method and device
CN110602132A (en) Data encryption and decryption processing method
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
CN116166749A (en) Data sharing method and device, electronic equipment and storage medium
EP3975015A1 (en) Applet package sending method and device, electronic apparatus, and computer readable medium
CN108616517A (en) highly reliable cloud platform service providing method
CN108512824A (en) The management method and mobile terminal of a kind of family high in the clouds file
CN112153130A (en) Business resource access method and device
CN111404901A (en) Information verification method and device
CN109739615A (en) A kind of mapping method of virtual hard disk, equipment and cloud computing platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant