CN114157470B

CN114157470B - Token management method and device

Info

Publication number: CN114157470B
Application number: CN202111431651.2A
Authority: CN
Inventors: 姜海辉
Original assignee: Huizhou TCL Mobile Communication Co Ltd
Current assignee: Huizhou TCL Mobile Communication Co Ltd
Priority date: 2021-11-29
Filing date: 2021-11-29
Publication date: 2024-01-19
Anticipated expiration: 2041-11-29
Also published as: CN114157470A

Abstract

The embodiment of the invention discloses a token management method and device; after receiving terminal identification and token authority requirement information sent by a target terminal, the embodiment of the invention carries out authority configuration on a token corresponding to the target terminal according to the token authority requirement information, configures token information after configuration, screens out a public key corresponding to the terminal identification from a preset public key set, encrypts the configured token information and the terminal identification based on the public key, and distributes the encrypted token information to the target terminal so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in a terminal safety space; the scheme can improve the security of token management.

Description

Token management method and device

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a token management method and apparatus.

Background

In recent years, with the rapid development of internet technology, a device terminal can realize various functional requirements through various tokens (token tokens). Since the token involves the control of the exposed port, the token needs to be securely managed, and the existing token management mode mainly includes that the token server controls the token authority through a unified key. This causes all devices to use a unified key to perform security processing on token tokens, and relies too much on security management of one key, thus resulting in reduced security of token management.

Disclosure of Invention

The embodiment of the invention provides a token management method and a device, which can improve the security of token management.

A token management method, comprising:

receiving a terminal identifier and token authority requirement information sent by a target terminal;

performing authority configuration on the token corresponding to the target terminal according to the token authority demand information, and configuring token information;

screening a public key corresponding to the terminal identifier from a preset public key set, and encrypting the configured token information and the terminal identifier based on the public key;

and distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in a terminal safety space.

Optionally, another token management method may be provided in the embodiments of the present application, including:

creating a key pair in a terminal, and storing the key pair in a terminal safety space, wherein the key pair comprises a public key and a private key corresponding to the public key;

sending the public key and the terminal identifier to a token server so that the token server binds the public key and the terminal identifier;

Transmitting the terminal identification and the token authority requirement information to the token server so that the token server generates encrypted token information based on the terminal identification and the token authority information;

and acquiring the encrypted token information generated by the token server, and storing the encrypted token information into the terminal safety space.

Correspondingly, an embodiment of the present invention provides a token management device, including:

the receiving unit is used for receiving the terminal identification and the token authority requirement information sent by the target terminal;

the configuration unit is used for carrying out authority configuration on the token corresponding to the target terminal according to the token authority requirement information, and after configuration, the token information;

the encryption unit is used for screening out a public key corresponding to the terminal identifier from a preset public key set and encrypting the configured token information and the terminal identifier based on the public key;

and the sending unit is used for distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in a terminal safety space.

Optionally, the embodiment of the present application may further provide a token management apparatus, including:

The system comprises a creation unit, a storage unit and a storage unit, wherein the creation unit is used for creating a key pair in a terminal and storing the key pair in a terminal safety space, and the key pair comprises a public key and a private key corresponding to the public key;

the binding unit is used for sending the public key and the terminal identifier to the token server so that the token server binds the public key and the terminal identifier;

the generation unit is used for sending the terminal identification and the token authority requirement information to the token server so that the token server generates encrypted token information based on the terminal identification and the token authority information;

and the acquisition unit is used for acquiring the encrypted token information generated by the token server and storing the encrypted token information into the terminal safety space.

Optionally, in some embodiments, the configuration unit may be specifically configured to determine token authority configuration information of the target terminal according to the token authority requirement information; based on the token authority configuration information, screening out a token corresponding to the target terminal from a preset token set, and determining the target authority of the token; and configuring the rights of the token according to the target rights, and obtaining configured token information.

Optionally, in some embodiments, the configuration unit may specifically be configured to generate a configuration state of the token according to the configured token information; transmitting the configuration state and the expiration time of the configuration state to the target terminal; the step of screening the public key corresponding to the terminal identifier from a preset public key set includes: and when the token authority information acquisition request sent by the target terminal is received within the expiration time, screening out a public key corresponding to the terminal identifier from a preset public key set.

Optionally, in some embodiments, the token management device may further include a storage unit, where the storage unit may be specifically configured to receive a terminal public key upload request sent by a line server, where the terminal public key upload request carries an original terminal identifier and a target public key of at least one terminal acquired by the line server; binding the original terminal identifier and the target public key, and storing the bound target public key into a preset public key set; and sending the storage state of the bound target public key to the production line server.

Optionally, in some embodiments, the creating unit may specifically be configured to establish a communication connection with a line server, and receive, through the communication connection, a key generation request sent by the line server; inquiring a private key in the terminal safety space based on the key generation request; when the private key exists in the terminal safety space, the private key and the public key corresponding to the private key are used as a key pair; and when the private key does not exist in the terminal safety space, generating a key pair in the terminal safety space.

Optionally, in some embodiments, the binding unit may be specifically configured to receive a public key derivation request sent by the line server; according to the public key export request, exporting the public key from the terminal safety space, and temporarily storing the exported public key; and sending the storage address in which the public key is temporarily stored to the production line server, so that the production line server sends the derived public key and the terminal identification to the token server based on the storage address.

Optionally, in some embodiments, the token management device may further include an authentication unit, where the authentication unit may be specifically configured to, when an authentication scene of a terminal is started, read a private key corresponding to the authentication scene in the secure space of the terminal; decrypting the encrypted token information based on the private key, and identifying a target token of the authentication scene and the token authority of the target token in the decrypted token information; and authenticating under the authentication scene according to the target token and the token authority.

In addition, the embodiment of the invention also provides electronic equipment, which comprises a processor and a memory, wherein the memory stores an application program, and the processor is used for running the application program in the memory to realize the token management method provided by the embodiment of the invention.

In addition, the embodiment of the invention further provides a computer readable storage medium, wherein the computer readable storage medium stores a plurality of instructions, and the instructions are suitable for being loaded by a processor to execute the steps in any token management method provided by the embodiment of the invention.

After receiving terminal identification and token authority requirement information sent by a target terminal, the embodiment of the invention carries out authority configuration on a token corresponding to the target terminal according to the token authority requirement information, configures token information after configuration, screens out a public key corresponding to the terminal identification from a preset public key set, encrypts the configured token information and the terminal identification based on the public key, and distributes the encrypted token information to the target terminal so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in a terminal safety space; according to the scheme, the token corresponding to the target terminal is configured in the permission mode through the token permission requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed into the protection of each independent device key control token, the risk that all tokens are possibly injected randomly due to leakage of one key is reduced to the maximum extent, and therefore the security of the token management can be improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of a token management system provided by an embodiment of the present invention;

fig. 2 is a schematic view of a scenario of a token management method according to an embodiment of the present invention;

FIG. 3 is a flow chart of a method for token management according to an embodiment of the present invention;

FIG. 4 is another flow chart of a token management method according to an embodiment of the present invention;

fig. 5 is a schematic flow chart of querying a private key in a secure space of a terminal according to an embodiment of the present invention;

fig. 6 is a schematic flow chart of a terminal deriving a public key according to an embodiment of the present invention;

fig. 7 is a schematic flow chart of a terminal for obtaining encrypted token information according to an embodiment of the present invention;

FIG. 8 is another flow chart of a token management method according to an embodiment of the present invention;

FIG. 9 is an overall framework topology of token management provided by an embodiment of the present invention;

FIG. 10 is a schematic diagram of an overall flow in a token management process provided by an embodiment of the present invention;

FIG. 11 is a schematic diagram of a first token management apparatus according to an embodiment of the present invention;

FIG. 12 is another schematic diagram of a first token management apparatus according to an embodiment of the present invention;

FIG. 13 is a schematic diagram of a second token management apparatus according to an embodiment of the present invention;

FIG. 14 is a schematic diagram of a second token management apparatus according to an embodiment of the present invention;

fig. 15 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.

The embodiment of the invention provides a token management method and device. The token management device may be integrated in an electronic device, which may be a server or a terminal. Specifically, the embodiment of the invention provides a token management device (which can be called a first token management device for distinguishing) applicable to a first electronic device, and a token management device (which can be called a second token management device for distinguishing) applicable to a second electronic device.

The first electronic device may be a network side device such as a server, and the server may be an independent physical server, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, network acceleration services (Content Delivery Network, CDN), and basic cloud computing services such as big data and an artificial intelligent platform. The second electronic device may be a terminal, which may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, which is not limited herein.

The embodiment of the invention takes the first electronic equipment as a server and the second electronic equipment as a terminal as an example to explain the token management method.

For example, referring to fig. 1, an embodiment of the present invention provides a token management system including a token server 10, a line server 20, and a terminal 30, where the token server 10, the line server 20, and the terminal 30 are connected through a network, for example, through an active or wireless network connection, where the token management device may be integrated into the terminal, for example, in the form of a client.

The token server 10 may be configured to perform authority configuration on a token corresponding to a target terminal according to token authority requirement information after receiving terminal identification and token authority requirement information sent by the target terminal, configure the token information, then screen a public key corresponding to the terminal identification from a preset public key set, encrypt the configured token information and the terminal identification based on the public key, and distribute the encrypted token information to the target terminal, so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in a terminal security space, thereby improving security of token management, as shown in fig. 2.

The terminal 30 may send the terminal identifier and the token authority requirement information to the token server, and receive the encrypted token information returned by the token server, where the terminal 30 may specifically be as follows:

creating a key pair in a terminal, storing the key pair in a terminal safety space, and sending a public key and a terminal identifier of the key pair to a token server so that the token server binds the public key and the terminal identifier; and sending the terminal identification and the token authority requirement information to the token server so that the token server generates encrypted token information based on the terminal identification and the token authority information, then acquiring the encrypted token information generated by the token server, storing the encrypted token information into a terminal safety space, and further improving the safety of token management.

The following will describe in detail. The following description of the embodiments is not intended to limit the preferred embodiments.

The embodiment will be described from the perspective of a first token management apparatus, which may be specifically integrated in an electronic device, where the electronic device may be a server, and the server may be an independent physical server, or may be a server cluster or a distributed system formed by multiple physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, network acceleration services (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.

As shown in fig. 3, the specific flow of the token management method is as follows:

101. and receiving a terminal identifier and token authority requirement information sent by the target terminal.

The token authority requirement information is information indicating requirement information of the target terminal for token authority of each token, for example, information of authority types of one or more tokens (token).

The terminal identifier may be an international mobile equipment identifier (International Mobile Equipment Identity, IMEI) of the terminal, or may be a device Serial Number (SN), or may also be an IMEI and SN.

The manner of receiving the terminal identifier and the token authority requirement information can be various, and the method specifically can be as follows:

for example, the terminal identifier and the token authority requirement information sent by the target terminal may be directly received, or the terminal identifier and the token authority requirement information sent by the target terminal and received by the configuration server and sent by the configuration server may be received, or when the number of the terminal identifier and the token authority requirement information is large or the memory is large, the storage address of the terminal identifier and the token authority requirement information sent by the target terminal or the configuration server may also be received, and based on the storage address, the terminal identifier and the token authority requirement information of the target terminal may be obtained.

102. And configuring the rights of the token corresponding to the target terminal according to the token rights requirement information to obtain configured token information.

Wherein the token, which may also be referred to as a token, may be an object representing rights to perform certain operations,

The token of the target terminal may be configured in various manners, and the method specifically may be as follows:

for example, the token authority configuration information of the target terminal can be determined according to the token authority requirement information, the token corresponding to the target terminal is screened out from the preset token set based on the token authority configuration information, the target authority of the token is determined, and the token is configured according to the target authority, so that configured token information is obtained.

The method for determining the token authority configuration information of the target terminal according to the token authority requirement information can be various, for example, a configuration authority strategy can be extracted from the token authority requirement information, the configuration authority strategy is used as the token authority configuration information of the target terminal, or at least one token authority configuration item is identified in the token authority requirement information, basic token authority configuration information corresponding to the token authority configuration item is screened out from a preset token authority configuration information set, and the basic token authority configuration information is fused to obtain the token authority configuration information of the target terminal.

After determining the token authority configuration information of the target terminal, the token corresponding to the target terminal can be screened out from a preset token set based on the token configuration authority information, the target authority of the token can be determined, and various modes of screening out the token and determining the target authority of the token can be adopted, for example, the token identification needing to be configured can be identified in the token configuration authority information, the token corresponding to the token identification can be screened out from the preset token set, the token corresponding to the target terminal can be obtained, then the token authority set needing to be configured is identified from the token configuration authority information, and the token authority set is matched with the token, so that the target authority of each token can be obtained.

After screening out the tokens and determining the target rights of the tokens, the tokens can be subjected to rights configuration in various manners, for example, attribute information of the tokens can be obtained, the current rights of the tokens aiming at the target terminals are identified in the attribute information, the current rights are adjusted to the target rights, so that configured token information is obtained, or a candidate rights list of each token is obtained, the target rights are selected in the candidate rights list, the target rights list of each terminal is obtained, the target rights list is associated with the terminal identification, and the rights configuration is carried out on the corresponding tokens based on the associated target rights list, so that configured token information is obtained.

Optionally, after the token is configured according to the target right, information such as a configuration state and the like can be sent to the target terminal to prompt the configuration situation of the target terminal, for example, the configuration state of the token can be generated according to the configuration token information, the configuration state and the expiration time of the configured token information can be sent to the target terminal, when a token right information acquisition request sent by the target terminal is received within the expiration time, a public key corresponding to a terminal identifier is screened out from a preset public key set, or the configuration state of the token can be generated according to the configuration token information and returned to the configuration server, so that the configuration server sends the configuration state and the expiration time corresponding to the configuration state to the target terminal.

103. And screening out a public key corresponding to the terminal identifier from a preset public key set, and encrypting the configured token information and the terminal identifier based on the public key.

For example, a public key corresponding to the terminal identifier may be directly screened out from a preset public key set, an encryption algorithm corresponding to the public key is obtained, based on the encryption algorithm, the configured token information and the terminal identifier are bound by using the public key, and encryption is performed, so as to obtain encrypted token information.

Optionally, before the public key corresponding to the terminal identifier is screened out from the preset public key set, the public key of the terminal can be obtained, the public key is stored in a terminal safety space, and the mode of obtaining and storing the public key of the terminal can be multiple, for example, a terminal public key uploading request sent by the line server can be received, the terminal public key uploading request carries the original terminal identifier and the target public key of at least one terminal acquired by the generating server, the original terminal identifier and the target public key are bound, the bound target public key is stored in the preset public key set, and the storage state of the bound target public key is sent to the line server.

The production line server may be also understood as a production line workstation, deployed on a production line of a terminal, and may be used as an edge service node to collect an original terminal identifier of each terminal and derive a public key of the terminal, and send the collected original terminal identifier and public key to the token server.

104. And distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in the terminal safety space.

The encrypted token information can be understood as information which is obtained by binding and encrypting various data in the token and the terminal identifier, and is used for indicating the target token corresponding to the terminal identifier and the authority information of the target token.

The terminal secure space may be a playback protected memory block (Replay Protected Memory Block, RPMB) of the terminal, which is a partition with security features in eMMC (embedded memory).

The manner of distributing the encrypted token information to the target terminal may be various, and specifically may be as follows:

for example, the encrypted token information may be directly sent to the terminal, or an allocation identifier may be further added to the encrypted token information, where the allocation identifier may be a terminal identifier of the target terminal, a terminal address of the target terminal, or a storage address of the encrypted token information, and an allocation request is generated, where the allocation request carries the allocation identifier, so that the target terminal obtains the encrypted token information based on the allocation identifier.

After the target terminal acquires the encrypted token information, the target terminal can decrypt the encrypted token information according to a private key corresponding to a public key in a terminal safety space in an authentication scene, identify a target token corresponding to the authentication scene and token authority of the target token in the decrypted token information, and authenticate the authentication scene according to the target token and the token authority.

As can be seen from the foregoing, in the embodiment of the present application, after receiving the terminal identifier and the token permission requirement information sent by the target terminal, performing permission configuration on the token corresponding to the target terminal according to the token permission requirement information, configuring the token information, then screening a public key corresponding to the terminal identifier from a preset public key set, encrypting the configured token information and the terminal identifier based on the public key, and distributing the encrypted token information to the target terminal, so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in the terminal security space; according to the scheme, the token corresponding to the target terminal is configured in the permission mode through the token permission requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed into the protection of each independent device key control token, the risk that all tokens are possibly injected randomly due to leakage of one key is reduced to the maximum extent, and therefore the security of the token management can be improved.

The present embodiment will be described from the viewpoint of a second token management apparatus, which may be integrated in an electronic device, which may be a terminal or the like; the terminal may include a tablet computer, a notebook computer, a personal computer (PC, personal Computer), a wearable device, a virtual reality device, or other devices that may process data.

A token management method, comprising:

creating a key pair in a terminal, storing the key pair in a terminal safety space, sending the public key and a terminal identifier to a token server by the key pair, so that the token server binds the public key and the terminal identifier, sending the terminal identifier and the token authority requirement information to the token server, generating encrypted token information by the token server based on the terminal identifier and the token authority information, acquiring the encrypted token information generated by the token server, and storing the encrypted token information in the terminal safety space.

As shown in fig. 4, the specific flow of the information processing method is as follows:

201. a key pair is created within the terminal and stored in a secure space of the terminal.

The key pair comprises a public key and a private key corresponding to the public key. The key pair is obtained through an encryption algorithm, one of which is disclosed to the outside and is called a public key; and the other is reserved by itself and is called a private key. The key pairs obtained by this algorithm can be guaranteed to be unique worldwide. When using this key pair, if a piece of data is encrypted with one of the keys, it must be decrypted with the other key. If the data is encrypted by the public key, the data must be decrypted by the private key, if the data is encrypted by the private key, the data must be decrypted by the public key, otherwise the decryption will not succeed

The key pair may be created in a plurality of ways in the terminal, and specifically may be as follows:

for example, a communication connection is established with the production line server, a key generation request sent by the production line server is received through the communication connection, a private key is queried in a terminal safety space based on the key generation request, when the private key exists in the terminal safety space, the private key and a public key corresponding to the private key are used as a key pair, and when the private key does not exist in the terminal safety space, the key pair is generated in the terminal safety space.

The method of querying the private key in the secure space of the terminal may be various, for example, the secure communication program (Client Application, CA) running in the normal word may communicate with the secure program (Trusted Application, TA), further query whether the generated private key exists under the TEE (trusted execution environment) through the TA, if not, execute the generation of the key pair through the TA, then store the key pair in the RPMB partition, and if already generated, directly return the generated private key and public key to the CA as the key pair, which may be shown in fig. 5.

When the private key does not exist in the terminal security space, there may be various ways of generating the key pair in the terminal security space, for example, the key pair may be created by the TA under the TEE of the terminal, or the key pair may be created by adopting other security algorithms in other areas of the terminal, or key pair creation information of the user may be received, and the key pair is created in the TEE based on the key pair creation information.

After the key pair is created in the terminal, the key pair may be stored in a secure space of the terminal, and the storage manner may be various, for example, the key pair may be directly stored in an RPMB, or the key pair may be stored in a secure data bucket in a TEE environment.

202. The public key and the terminal identification are sent to the token server so that the token server binds the public key and the terminal identification.

For example, a public key derivation request sent by the line server may be received, the public key may be derived from the secure space of the terminal according to the public key derivation request, the derived public key may be temporarily stored, and a storage address where the public key is temporarily stored may be sent to the line server, so that the line server sends the derived public key to the token server based on the storage address.

Taking the terminal secure space as an RPMB as an example, the process of deriving the public key may specifically be as shown in fig. 6, where a CA initiates a derivation request when receiving a public key derivation request sent by a line server, executes a derivation operation in a TEE environment, and derives the public key from an RPMB partition, and returns a temporary storage location of the public key to the CA, and the CA returns the temporary storage location to the line server, where the line server obtains the derived public key according to the temporary storage location, and sends the derived public key and a terminal identifier of the terminal to the token server. After the token server acquires the public key and the terminal identifier, the token server binds the public key and the terminal identifier, and stores the bound public key into a preset public key set.

203. And sending the terminal identification and the token authority requirement information to the token server so that the token server generates encrypted token information based on the terminal identification and the token authority information.

For example, the terminal identifier of the terminal may be obtained and the terminal identifier and the token authority requirement information may be directly sent to the token server, or when the number of memories of the terminal identifier and the token authority requirement information is large, the storage address of the terminal identifier and the token authority requirement information may be sent to the token server after the terminal identifier of the terminal is obtained, so that the token server obtains the terminal identifier and the token authority requirement information according to the storage address.

The terminal identification of the terminal may be obtained in various manners, for example, for SN of the terminal, the SN and IMEI of the terminal may be used as the terminal identification by the ADB shelleve service, the data may not be tampered, for IMEI, IMEI obtaining search may be submitted, and IMEI of the terminal may be searched in the secure memory (One Time Programmable, OTP).

After receiving the terminal identifier and the token authority requirement information, the token server may generate encrypted token information based on the terminal identifier and the token authority requirement information, and various manners may be used for generating the encrypted token information, for example, performing authority setting on a token corresponding to the target terminal according to the token authority requirement information to obtain configured token information, screening a public key corresponding to the terminal identifier from a preset public key set, and encrypting the configured token information and the terminal identifier based on the public key to obtain encrypted token information.

204. And acquiring the encrypted token information generated by the token server, and storing the encrypted token storage information into a terminal safety space.

For example, the encrypted token information sent by the token server may be directly obtained, or an allocation request sent by the token server may be received, where the allocation request carries an allocation identifier, a storage address or a download authority of the encrypted token information is extracted from the allocation identifier, and the encrypted token information is obtained based on the storage address or the download authority.

After the encrypted token information is obtained, the encrypted token information can be stored in a terminal security space, for example, the encrypted token information can be directly stored in an RPMB partition in a TEE security environment.

The process of obtaining and storing the encrypted token information by the terminal can be found to be mainly through interaction with the token server, so that the encrypted token information is obtained, as shown in fig. 7, a user operates through a token authority selection page of an applied APK, so that a token authority information obtaining request is triggered, then an IMEI/SN of the terminal is sent to the token server through the token authority obtaining request, the token server encrypts the SN and the configured token information through a public key corresponding to a terminal identifier, so that the encrypted token information is generated, then the encrypted token information is distributed to the corresponding terminal, the terminal downloads the distributed encrypted token information in a public network, and the terminal stores the encrypted token information to a specific partition of the terminal.

Optionally, after the encrypted token storage information is stored in the terminal security space, authentication can be performed under the authentication scene, for example, when the authentication scene of the terminal is started, a private key corresponding to the authentication scene is read out from the terminal security space, the encrypted token information is decrypted based on the private key, a target token of the authentication scene and the token authority of the target token are identified in the decrypted token information, and authentication is performed under the authentication scene according to the target token and the token authority.

The type of the authentication scene may be various, for example, the authentication scene may include, for example, a network analysis packet DIAG port opening, UART analysis and debug boot exception analysis and debug information output, a specific ROOT authority control and debug, and other similar controlled port authorities.

As can be seen from the foregoing, in the embodiment of the present application, a key pair is created in a terminal, and after the key pair is stored in a terminal secure space, a public key and a terminal identifier in the key pair are sent to a token server, so that the token server binds the public key and the terminal identifier, and terminal identifier and token authority requirement information are sent to the token server, so that the token server generates encrypted token information based on the terminal identifier and the token authority information. Then, the encrypted token information generated by the token server is obtained, and the encrypted token information is stored in a terminal safety space; in the scheme, the terminal creates the key pair and stores the key pair in the safety space, so that the safety of the private key is improved, the obtained encrypted token information is generated by the token server based on the terminal identification and the token authority information, and then the token protection is controlled by the private key stored in the safety space of the terminal, so that the safety of the token management can be improved.

According to the method described in the above embodiments, examples are described in further detail below.

In this embodiment, the first token management apparatus is specifically integrated in a first electronic device, the first electronic device is a server, the second token management apparatus is integrated in a second electronic device, the second electronic device is a terminal, a terminal security space is an RPMB partition, a terminal identifier is an IMEI/SN, and a production line server is illustrated as a production line workstation.

As shown in fig. 8, a token management method specifically includes the following steps:

301. the terminal creates a key pair within the terminal and stores the key pair in the RPBM partition.

For example, the terminal establishes communication connection with the production line workstation, receives a key generation request sent by the production line workstation through the communication connection, communicates with the TA through a CA running in a normal word based on the key generation request, further inquires whether a generated private key exists in an RPMB under the TEE through the TA, and when the private key does not exist in the RPMB, the terminal can create a key pair through the TA under the TEE of the terminal, or can create the key pair in other areas of the terminal by adopting other security algorithms, or can also receive key pair creation information of a user, and creates the key pair in the TEE based on the key pair creation information. When the private key exists in the RPMB, the generated private key and the generated public key are directly returned to the CA as a key pair.

The terminal may store the key pair in RPMB after creating the key pair, or may store the key pair in a secure data bucket in the TEE environment.

302. The terminal sends the public key and the terminal identification to the token server.

For example, the terminal may receive a public key derivation request sent by the line workstation, derive a public key from the RPBM partition according to the public key derivation request, temporarily store the derived public key, and send a storage address where the public key is temporarily stored to the line workstation, so that the line workstation sends the derived public key to the token server based on the storage address.

303. And the token server binds the terminal identifier and the public key and stores the public key after binding to a preset public key set.

For example, the token server may receive a terminal public key upload request sent by the production line workstation, where the terminal public key upload request carries an original terminal identifier and a target public key of at least one terminal acquired by the production server, bind the original terminal identifier and the target public key, store the bound target public key in a preset public key set, and send a storage state of the bound target public key to the production line workstation.

304. And the terminal sends the terminal identification and the token authority requirement information to the token server.

For example, the terminal may obtain the IMEI through the ADB shelleven service, and retrieve the IMEI of the terminal from the OTP, and use the SN and IMEI of the terminal as the terminal identifier. And then, sending the terminal identification and the token authority requirement information to the token server, or when the number of the terminal identification and the token authority requirement information is large and the memory is large, sending the storage addresses of the terminal identification and the token authority requirement information to the token server after acquiring the terminal identification of the terminal, so that the token server acquires the terminal identification and the token authority requirement information according to the storage addresses.

305. And the token server performs authority configuration on the token corresponding to the target terminal according to the token authority demand information to obtain configured token information.

For example, the token server may extract a configuration permission policy from the token permission requirement information, and use the configuration permission policy as token permission configuration information of the target terminal, or identify at least one token permission configuration item from the token permission requirement information, screen out basic token permission configuration information corresponding to the token permission configuration item from a preset token permission configuration information set, and fuse the basic token permission configuration information to obtain token permission configuration information of the target terminal.

The token server identifies the token identification needing to be configured with the token in the token configuration permission information, screens out the token corresponding to the token identification from the preset token set to obtain the token corresponding to the target terminal, identifies the token permission set needing to be configured with the token from the token configuration permission information, and matches the token permission set with the token to obtain the target permission of each token.

The token server acquires attribute information of the tokens, recognizes the current authority of the tokens aiming at the target terminals from the attribute information, adjusts the current authority into target authority, so as to obtain configured token information, or acquires a candidate authority list of each token, selects the target authority in the candidate authority list, so as to obtain a target authority list of each terminal, associates the target authority list with the terminal identification, configures the authority of the corresponding tokens based on the associated target authority list, and obtains configured token information.

Optionally, the token server may generate a configuration state of the token according to the configuration token information, send the configuration state and an expiration time of the configured token information to the target terminal, and when receiving the token authority information acquisition request sent by the target terminal within the expiration time, screen a public key corresponding to the terminal identifier from a preset public key set, or generate the configuration state of the token according to the configuration token information, and return the configuration state to the configuration server, so that the configuration server sends the configuration state and the expiration time corresponding to the configuration state to the target terminal.

306. The token server screens out a public key corresponding to the terminal identifier from a preset public key set, and encrypts the configured token information and the terminal identifier based on the public key.

For example, the token server may directly screen a public key corresponding to the terminal identifier from a preset public key set, obtain an encryption algorithm corresponding to the public key, bind the configured token information with the terminal identifier by using the public key based on the encryption algorithm, and encrypt the configured token information to obtain encrypted token information.

307. The token server distributes the encrypted token information to the target terminal.

For example, the token server may directly send the encrypted token information to the terminal, or may further add an allocation identifier to the encrypted token information, where the allocation identifier may be a terminal identifier of the target terminal, a terminal address of the target terminal, or a storage address of the encrypted token information, and generate an allocation request, where the allocation request carries the allocation identifier, so that the target terminal obtains the encrypted token information based on the allocation identifier.

308. And the terminal stores the encrypted token storage information into the RPBM partition.

For example, the terminal may store the encrypted token information directly to the RPMB partition in the TEE secure environment.

Optionally, after storing the encrypted token storage information in the RPBM partition, when the authentication scene of the terminal is started, the terminal reads a private key corresponding to the authentication scene from the RPBM partition, decrypts the encrypted token information based on the private key, identifies a target token of the authentication scene and a token authority of the target token in the decrypted token information, and performs authentication in the authentication scene according to the target token and the token authority.

In the process of managing the token, when the terminal is a mobile phone terminal and the scene is a production line scene, the public key can be transferred through the production line workstation, so that the whole frame topological diagram of token management can be shown in fig. 9, a test and after-sales person opens the mobile phone terminal, introduces the mobile phone public key through the production line workstation, then stores the mobile phone public key into a token server, which can be called a token generation server, then the token manager performs authorization configuration on the token, the token server encrypts the configured token and the terminal identifier through the public key, and therefore encrypted token information is obtained, the encrypted token information is sent to the terminal, and then the terminal stores the encrypted token information into a terminal safety space.

In the process of managing the token, taking the terminal as a mobile phone terminal and taking the token server as a token generation server as an example, the method mainly comprises two stages, wherein one stage is that the mobile phone terminal exports a public key to the token generation server through a production line workstation, the other stage is that the mobile phone terminal sends IMEI/SN of equipment and token authority requirements to the token generation server or the token authority configuration server, the authority of the token is configured, then the token generation server encrypts according to the public key of the terminal and sends encrypted token information to the terminal, and the method is specifically shown in fig. 10, and is described for the flow, and mainly comprises the following 4 links, and specifically comprises the following steps:

(1) Terminal equipment and production line workstation pair key generation and public key derivation

In the starting-up process, the terminal needs to communicate with the mobile phone through the ADB, requests the key generation, finishes the RPMB safe partition storage by the TA program, needs to use the encrypted key information in the later period, and exports and stores the corresponding public key in the main steps: 1.1-3.3;

(2) Uploading device public key information to token generation server

The production line workstation uploads the IMEI information provided by the terminal and the derived public key information to the token generation server for later dynamic generation of authority token data which is required to be authorized, wherein the main steps are 4.1-4.3;

(3) Applying and configuring authority token of terminal

The terminal equipment needs to acquire the permission token and needs to register and register, and is configured in a token generation server by a special policy manager through equipment SN, and the terminal equipment completes permission token data communication downloading through APK operation on the public network in the later period, wherein the main steps are 5.1-5.6;

(4) Terminal storing rights token data

The terminal equipment communicates with the token generation server in a public network environment under the operation of a user, and the server inquires public key information stored in advance according to the provided equipment IMEI information and binds according to the provided SN information to generate rights token encryption data, wherein the main steps are 6.1-6.5.

As can be seen from the foregoing, in the embodiment of the present application, after a token server receives a terminal identifier and token permission requirement information sent by a target terminal, permission configuration is performed on a token corresponding to the target terminal according to the token permission requirement information, after the token information is configured, then a public key corresponding to the terminal identifier is selected from a preset public key set, the configured token information and the terminal identifier are encrypted based on the public key, and the encrypted token information is distributed to the target terminal, so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in a terminal security space; according to the scheme, the token corresponding to the target terminal is configured in the permission mode through the token permission requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed into the protection of each independent device key control token, the risk that all tokens are possibly injected randomly due to leakage of one key is reduced to the maximum extent, and therefore the security of the token management can be improved.

In order to better implement the above method, the embodiment of the present invention provides a token management apparatus (i.e., a first token management apparatus), where the first token management apparatus may be integrated in a server, and the server may be a single server or may be a server cluster formed by multiple servers.

For example, as shown in fig. 11, the first token management apparatus may include a receiving unit 401, a configuring unit 402, an encrypting unit 403, and a transmitting unit 404, as follows:

(1) A receiving unit 401;

a receiving unit 401, configured to receive the terminal identifier and the token authority requirement information sent by the target terminal.

For example, the receiving unit 401 may specifically be configured to receive the terminal identifier and the token authority requirement information sent by the target terminal, or receive the terminal identifier and the token authority requirement information sent by the target terminal and received by the configuration server and sent by the configuration server, or when the number of the terminal identifier and the token authority requirement information is greater or the memory is greater, may also receive a storage address of the terminal identifier and the token authority requirement information sent by the target terminal or the configuration server, and obtain the terminal identifier and the token authority requirement information of the target terminal based on the storage address.

(2) A configuration unit 402;

and the configuration unit 402 is configured to perform authority configuration on the token corresponding to the target terminal according to the token authority requirement information, and configured token information.

For example, the configuration unit 402 may specifically be configured to determine token authority configuration information of the target terminal according to the token authority requirement information, screen a token corresponding to the target terminal from a preset token set based on the token authority configuration information, determine a target authority of the token, and perform authority configuration on the token according to the target authority to obtain configured token information.

(3) An encryption unit 403;

and the encryption unit 403 is configured to screen a public key corresponding to the terminal identifier from a preset public key set, and encrypt the configured token information and the terminal identifier based on the public key.

For example, the encryption unit 403 may be specifically configured to screen a public key corresponding to the terminal identifier from a preset public key set, obtain an encryption algorithm corresponding to the public key, bind the configured token information and the terminal identifier with the public key based on the encryption algorithm, and encrypt the configured token information to obtain encrypted token information.

(4) A transmitting unit 404;

and the sending unit 404 is configured to distribute the encrypted token information to the target terminal, so that the target terminal decrypts the encrypted token information based on a private key corresponding to the public key in the secure space of the terminal.

For example, the sending unit 404 may be specifically configured to send the encrypted token information to the terminal, or may further add an allocation identifier to the encrypted token information, where the allocation identifier may be a terminal identifier of the target terminal, a terminal address of the target terminal, or a storage address of the encrypted token information, and generate an allocation request, where the allocation request carries the allocation identifier, so that the target terminal obtains the encrypted token information based on the allocation identifier.

Optionally, the first token management device may further include a storage unit 405, as shown in fig. 12, specifically may be as follows:

and the storage unit 405 is configured to bind the terminal identifier of the target terminal and the public key, and store the bound public key in a preset public key set.

For example, the storage unit 405 may be specifically configured to receive a terminal public key upload request sent by a line server, where the terminal public key upload request carries an original terminal identifier and a target public key of at least one terminal acquired by the line server, bind the original terminal identifier and the target public key, store the bound target public key in a preset public key set, and send a storage state of the bound target public key to the line server.

In the implementation, each unit may be implemented as an independent entity, or may be implemented as the same entity or several entities in any combination, and the implementation of each unit may be referred to the foregoing method embodiment, which is not described herein again.

As can be seen from the foregoing, in the embodiment of the present application, after the receiving unit 401 receives the terminal identifier and the token authority requirement information sent by the target terminal, the configuring unit 402 configures the authority of the token corresponding to the target terminal according to the token authority requirement information, configures the token information, then the encrypting unit 402 screens out the public key corresponding to the terminal identifier from the preset public key set, encrypts the configured token information and the terminal identifier based on the public key, and the sending unit 404 distributes the encrypted token information to the target terminal, so that the target terminal decrypts the encrypted token information based on the private key corresponding to the public key in the terminal security space; according to the scheme, the token corresponding to the target terminal is configured in the permission mode through the token permission requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed into the protection of each independent device key control token, the risk that all tokens are possibly injected randomly due to leakage of one key is reduced to the maximum extent, and therefore the security of the token management can be improved.

In order to better implement the above method, the embodiment of the present invention further provides a token management device (i.e., a second token management device), which may be integrated in a terminal, where the terminal may include a tablet computer, a notebook computer, and/or a personal computer.

For example, as shown in fig. 13, the second token management apparatus may include a creation unit 501, a binding unit 502, a generation unit 503, and an acquisition unit 504, as follows:

(1) A creation unit 501;

a creating unit 501, configured to create a key pair in a terminal, and store the key pair in a secure space of the terminal, where the key pair includes a public key and a private key corresponding to the public key.

For example, the creation unit 501 may specifically be configured to establish a communication connection with a line server, receive a key generation request sent by the line server through the communication connection, query a private key in a terminal security space based on the key generation request, use the private key and a public key corresponding to the private key as a key pair when the private key exists in the terminal security space, and generate the key pair in the terminal security space when the private key does not exist in the terminal security space.

(2) A binding unit 502;

a binding unit 502 for sending the public key and the terminal identification to the token server, so that the token server binds the public key and the terminal identification.

For example, the binding unit 502 may specifically be configured to receive a public key export request sent by the line server, export a public key from a secure space of the terminal according to the public key export request, temporarily store the exported public key, and send a storage address where the public key is temporarily stored to the line server, so that the line server sends the exported public key to the token server based on the storage address.

(3) A generating unit 503;

a generating unit 503, configured to send the terminal identifier and the token authority requirement information to the token server, so that the token server generates encrypted token information based on the terminal identifier and the token authority information.

For example, the generating unit 503 may specifically be configured to obtain the terminal identifier of the terminal, and directly send the terminal identifier and the token authority requirement information to the token server, or when the number of the terminal identifier and the token authority requirement information is larger and the memory is larger, may also send the storage address of the terminal identifier and the token authority requirement information to the token server after obtaining the terminal identifier of the terminal, so that the token server obtains the terminal identifier and the token authority requirement information according to the storage address.

(4) An acquisition unit 504;

An obtaining unit 504, configured to obtain the encrypted token information generated by the token server, and store the encrypted token information in the terminal security space.

For example, the obtaining unit 504 may be specifically configured to directly obtain the encrypted token information sent by the token server, or may also receive an allocation request sent by the token server, where the allocation request carries an allocation identifier, extract a storage address or a download permission of the encrypted token information from the allocation identifier, and obtain the encrypted token information based on the storage address or the download permission.

Optionally, the second token management device may further include an authentication unit 505, as shown in fig. 14, specifically may be as follows:

the authentication unit 506 is configured to perform authentication in the authentication scenario based on the encrypted token information when the authentication scenario of the terminal is started.

For example, the authentication unit 506 may specifically be configured to, when an authentication scenario of the terminal is started, read a private key corresponding to the authentication scenario in a secure space of the terminal, decrypt the encrypted token information based on the private key, identify a target token of the authentication scenario and a token authority of the target token in the decrypted token information, and perform authentication in the authentication scenario according to the target token and the token authority.

As is clear from the above, in this embodiment, after the key pair is created in the terminal of the creating unit 501 and stored in the terminal security space, the binding unit 502 sends the public key of the key pair and the terminal identifier to the token server so that the token server binds the public key and the terminal identifier, and the generating unit 503 sends the terminal identifier and the token authority requirement information to the token server so that the token server generates encrypted token information based on the terminal identifier and the token authority information. Then, the acquisition unit 504 acquires the encrypted token information generated by the token server, and stores the encrypted token information to the terminal security space; in the scheme, the terminal creates the key pair and stores the key pair in the safety space, so that the safety of the private key is improved, the obtained encrypted token information is generated by the token server based on the terminal identification and the token authority information, and then the token protection is controlled by the private key stored in the safety space of the terminal, so that the safety of the token management can be improved.

The embodiment of the invention also provides an electronic device, as shown in fig. 15, which shows a schematic structural diagram of the electronic device according to the embodiment of the invention, specifically:

the electronic device may include one or more processing cores 'processors 601, one or more computer-readable storage media's memory 602, power supply 603, and input unit 604, among other components. It will be appreciated by those skilled in the art that the electronic device structure shown in fig. 15 is not limiting of the electronic device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components. Wherein:

the processor 601 is a control center of the electronic device, connects various parts of the entire electronic device using various interfaces and lines, and performs various functions of the electronic device and processes data by running or executing software programs and/or modules stored in the memory 602, and calling data stored in the memory 602, thereby performing overall monitoring of the electronic device. Optionally, the processor 601 may include one or more processing cores; preferably, the processor 601 may integrate an application processor and a modem processor, wherein the application processor primarily handles operating systems, user interfaces, applications, etc., and the modem processor primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 601.

The memory 602 may be used to store software programs and modules, and the processor 601 may execute various functional applications and data processing by executing the software programs and modules stored in the memory 602. The memory 602 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the electronic device, etc. In addition, the memory 602 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 602 may also include a memory controller to provide access to the memory 602 by the processor 601.

The electronic device further comprises a power supply 603 for supplying power to the various components, preferably the power supply 603 may be logically connected to the processor 601 by a power management system, so that functions of managing charging, discharging, power consumption management and the like are achieved by the power management system. The power supply 603 may also include one or more of any components, such as a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

The electronic device may further comprise an input unit 604, which input unit 604 may be used for receiving input digital or character information and for generating keyboard, mouse, joystick, optical or trackball signal inputs in connection with user settings and function control.

Although not shown, the electronic device may further include a display unit or the like, which is not described herein. In particular, in this embodiment, the processor 601 in the electronic device loads executable files corresponding to the processes of one or more application programs into the memory 602 according to the following instructions, and the processor 601 executes the application programs stored in the memory 602, so as to implement various functions as follows:

after receiving the terminal identification and the token permission demand information sent by the target terminal, performing permission configuration on a token corresponding to the target terminal according to the token permission demand information, configuring the token information after configuration, screening a public key corresponding to the terminal identification from a preset public key set, encrypting the configured token information and the terminal identification based on the public key, and distributing the encrypted token information to the target terminal so that the target terminal can decrypt the encrypted token information based on a private key corresponding to the public key in a terminal safety space.

Or,

creating a key pair in a terminal, storing the key pair in a terminal safety space, and sending a public key and a terminal identifier of the key pair to a token server so that the token server binds the public key and the terminal identifier; and sending the terminal identification and the token authority requirement information to the token server so that the token server generates encrypted token information based on the terminal identification and the token authority information, then acquiring the encrypted token information generated by the token server, and storing the encrypted token information into a terminal safety space.

The specific implementation of each operation may be referred to the previous embodiments, and will not be described herein.

As can be seen from the foregoing, in the embodiment of the present invention, after receiving the terminal identifier and the token permission requirement information sent by the target terminal, performing permission configuration on the token corresponding to the target terminal according to the token permission requirement information, configuring the token information, then screening out the public key corresponding to the terminal identifier from the preset public key set, encrypting the configured token information and the terminal identifier based on the public key, and distributing the encrypted token information to the target terminal, so that the target terminal decrypts the encrypted token information based on the private key corresponding to the public key in the terminal security space; according to the scheme, the token corresponding to the target terminal is configured in the permission mode through the token permission requirement information of the target terminal, and the configured token is encrypted through the public key corresponding to the terminal identification of the target terminal, so that unified key management is dispersed into the protection of each independent device key control token, the risk that all tokens are possibly injected randomly due to leakage of one key is reduced to the maximum extent, and therefore the security of the token management can be improved.

Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.

To this end, embodiments of the present invention provide a computer readable storage medium having stored therein a plurality of instructions capable of being loaded by a processor to perform the steps of any of the token management methods provided by the embodiments of the present invention. For example, the instructions may perform the steps of:

Or,

The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.

Wherein the computer-readable storage medium may comprise: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.

Because the instructions stored in the computer readable storage medium may execute the steps in any token management method provided by the embodiments of the present invention, the beneficial effects that any token management method provided by the embodiments of the present invention can achieve are detailed in the previous embodiments, and are not described herein.

Among other things, according to one aspect of the present application, a computer program product or computer program is provided that includes computer instructions stored in a computer readable storage medium. The computer instructions are read from a computer-readable storage medium by a processor of an electronic device, and executed by the processor, cause the electronic device to perform the methods provided in various alternative implementations of the token management aspects or token rights management aspects described above.

The foregoing has described in detail a method and apparatus for token management provided by embodiments of the present invention, and specific examples have been employed herein to illustrate the principles and embodiments of the present invention, the above description of the embodiments being only for aiding in the understanding of the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present invention, the present description should not be construed as limiting the present invention.

Claims

1. A token management method, wherein the token management method is applied to a token server, and the method comprises:

receiving a public key and a terminal identifier sent by a terminal so that the token server binds the public key and the terminal identifier;

2. The method of claim 1, wherein the configuring the rights of the token corresponding to the target terminal according to the token rights requirement information, after the configuring the token information, includes:

determining token authority configuration information of the target terminal according to the token authority demand information;

based on the token authority configuration information, screening out a token corresponding to the target terminal from a preset token set, and determining the target authority of the token;

And configuring the rights of the token according to the target rights, and obtaining configured token information.

3. The method of claim 2, wherein configuring the token according to the target authority to obtain configured token information further comprises:

generating a configuration state of the token according to the configured token information;

transmitting the configuration state and the expiration time of the configuration state to the target terminal;

the step of screening the public key corresponding to the terminal identifier from a preset public key set includes: and when the token authority information acquisition request sent by the target terminal is received within the expiration time, screening out a public key corresponding to the terminal identifier from a preset public key set.

4. A method of token management according to any of claims 1 to 3, wherein before screening out a public key corresponding to the terminal identifier from a preset public key set, the method further comprises:

receiving a terminal public key uploading request sent by a production line server, wherein the terminal public key uploading request carries an original terminal identifier and a target public key of at least one terminal acquired by the production line server;

Binding the original terminal identifier and the target public key, and storing the bound target public key into a preset public key set;

and sending the storage state of the bound target public key to the production line server.

5. A method of token management, comprising:

the terminal identification and the token authority demand information are sent to the token server, so that the token server screens out a public key corresponding to the terminal identification from a preset public key set, encrypts the token information after the authority configuration and the terminal identification based on the public key, and generates encrypted token information;

6. The method of claim 5, wherein the creating a key pair in the terminal comprises:

Establishing communication connection with a production line server, and receiving a key generation request sent by the production line server through the communication connection;

inquiring a private key in the terminal safety space based on the key generation request;

when the private key exists in the terminal safety space, the private key and the public key corresponding to the private key are used as a key pair;

and when the private key does not exist in the terminal safety space, generating a key pair in the terminal safety space.

7. The method of claim 6, wherein the sending the public key and terminal identification to the server comprises:

receiving a public key export request sent by the production line server;

according to the public key export request, exporting the public key from the terminal safety space, and temporarily storing the exported public key;

and sending the storage address in which the public key is temporarily stored to the production line server, so that the production line server sends the derived public key and the terminal identification to the token server based on the storage address.

8. The method of claim 5, further comprising, after storing the encrypted token information in the terminal security space:

When an authentication scene of a terminal is started, a private key corresponding to the authentication scene is read out from a terminal safety space;

decrypting the encrypted token information based on the private key, and identifying a target token of the authentication scene and the token authority of the target token in the decrypted token information;

and authenticating under the authentication scene according to the target token and the token authority.

9. A token management apparatus for use in a token server, the apparatus comprising:

the encryption unit is used for receiving the public key and the terminal identifier sent by the terminal so that the token server binds the public key and the terminal identifier, and is used for screening out the public key corresponding to the terminal identifier from a preset public key set and encrypting the configured token information and the terminal identifier based on the public key;

10. A token management apparatus, comprising:

the generation unit is used for sending the terminal identification and the token authority demand information to the token server so that the token server screens out a public key corresponding to the terminal identification from a preset public key set, encrypts the token information after the authority configuration and the terminal identification based on the public key, and generates encrypted token information;