CN114499888B - Private key protection and analysis method and device for signature service - Google Patents
Private key protection and analysis method and device for signature service Download PDFInfo
- Publication number
- CN114499888B CN114499888B CN202210146909.2A CN202210146909A CN114499888B CN 114499888 B CN114499888 B CN 114499888B CN 202210146909 A CN202210146909 A CN 202210146909A CN 114499888 B CN114499888 B CN 114499888B
- Authority
- CN
- China
- Prior art keywords
- private key
- hardware code
- encryption factor
- pseudo
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title abstract description 5
- 238000000034 method Methods 0.000 claims abstract description 39
- 238000013475 authorization Methods 0.000 claims description 62
- 238000012795 verification Methods 0.000 claims description 13
- 238000012423 maintenance Methods 0.000 claims description 10
- 230000004931 aggregating effect Effects 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
Abstract
The application provides a private key protection and analysis method and equipment. Compared with the prior art, the method and the device have the advantages that the hardware code ciphertext sent by the signature service device is obtained, the hardware code ciphertext is determined after the hardware code is encrypted by the signature service device based on a first encryption factor, the corresponding hardware code is determined through decryption of the hardware code ciphertext based on the first encryption factor, the hardware code hash value corresponding to the hardware code is obtained, the hardware code hash value is sent to the private key authorizing device, the private key authorizing device is enabled to generate the corresponding random encryption factor based on the hardware code hash value, then the random encryption factor sent by the private key authorizing device is received, the pseudo private key package is generated based on the first encryption factor, the random encryption factor and the hardware code, and the corresponding private key for signing can be determined through the pseudo private key package. In this way, security risks existing in human intervention can be avoided, and leakage of private keys can be prevented.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a technology for protecting and resolving a private key of a signature service.
Background
Existing large systems in the blockchain domain are typically built in a distributed service fashion, where signature service components for the blockchain's message signature are indispensable. In a conventional system, in order to ensure the security of the private key, the private key is encrypted, and the processing manner prevents the risk of directly exposing the private key, but still has the following problems:
firstly, an operation and maintenance person directly grasps the condition of a source code, and can find out from the source code or restore the secret key of the encrypted signature private key, thereby decrypting the encrypted private key;
second, the operator can directly redeploy the signature service under the condition that the operator cannot grasp the source code, so as to provide illegal signature service.
The security risk of the above human factors is not avoided in the current conventional system, and therefore, how to avoid the security risk is a problem to be solved.
Disclosure of Invention
The application aims to provide a private key protection and analysis method and equipment for signature service.
According to one aspect of the present application, there is provided a private key protection method for a signature service at a private key management device side, wherein the method includes:
acquiring a hardware code ciphertext sent by signature service equipment, wherein the hardware code ciphertext is determined by the signature service equipment after encrypting a hardware code based on a first encryption factor;
decrypting the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and acquiring a hardware code hash value corresponding to the hardware code;
transmitting the hardware code hash value to private key authorization equipment so that the private key authorization equipment generates a corresponding random encryption factor based on the hardware code hash value;
and receiving the random encryption factor sent by the private key authorization equipment, and generating a pseudo private key package based on the first encryption factor, the random encryption factor and the hardware code, wherein a corresponding private key for signing can be determined through the pseudo private key package.
Further, the sending the hardware code hash value to a private key authorization device includes:
and sending the hardware code hash value and the manager authorization code to private key authorization equipment so that the private key authorization equipment can verify based on the manager authorization code and generate a corresponding random encryption factor based on the hardware code hash value after verification is passed.
Further wherein the generating of the pseudo-private key package is based on the first encryption factor, the random encryption factor, and the hardware code:
aggregating the first encryption factor, the random encryption factor and the hardware code to generate an encryption key of a signature private key package;
generating a plurality of private keys based on a preset rule by using a pseudo-random seed based on the encryption key;
and generating a pseudo private key package based on the pseudo random seeds corresponding to the plurality of private keys, the public keys of the private keys and preset rules.
According to another aspect of the present application, there is further provided a method for protecting a private key for a signature service at a private key authorizing device, where the method includes:
receiving a hardware code hash value sent by private key management equipment, wherein the hardware code hash value is determined after the private key management equipment decrypts a hardware code ciphertext based on a first encryption factor;
binding the randomly generated random encryption factor with the hardware code hash value;
and sending the random encryption factor to the private key management device so that the private key management device generates a pseudo private key package based on the random encryption factor, the first encryption factor and the hardware code, wherein a corresponding private key for signing can be determined through the pseudo private key package.
Further, the receiving the hardware code hash value sent by the private key management device includes:
receiving a hardware code hash value sent by private key management equipment and an administrator authorization code;
wherein the method further comprises:
verifying based on the administrator authorization code, wherein the binding the randomly generated random encryption factor with the hardware code hash value includes:
when verification passes, the random encryption factor generated randomly is bound with the hash value of the hardware code.
According to still another aspect of the present application, there is further provided a method for resolving a private key for signature service at a signature service device side, where the method includes:
acquiring a pseudo private key packet for determining a private key and an authorization code of an operation and maintenance person, wherein the pseudo private key packet is generated based on a local first encryption factor, a random encryption factor generated by private key authorization equipment and a local hardware code;
when the authorization code of the operation and maintenance personnel passes the verification, a hardware code hash value corresponding to the hardware code is obtained;
acquiring a corresponding random encryption factor from the private key authorization device based on the hardware code hash value, wherein the private key authorization device stores the corresponding relation between the hardware code hash value and the random encryption factor;
aggregating the first encryption factor, random encryption factor, and hardware code to decrypt the pseudo-private key package to determine a private key for signing services from the pseudo-private key package.
According to yet another aspect of the present application, there is also provided a computer readable medium having stored thereon computer readable instructions executable by a processor to implement operations as the aforementioned method.
Compared with the prior art, the method and the device have the advantages that the hardware code ciphertext sent by the signature service device is obtained, the hardware code ciphertext is determined after the hardware code is encrypted by the signature service device based on a first encryption factor, the corresponding hardware code is determined through decryption of the hardware code ciphertext based on the first encryption factor, the hardware code hash value corresponding to the hardware code is obtained, the hardware code hash value is sent to the private key authorizing device, the private key authorizing device is enabled to generate the corresponding random encryption factor based on the hardware code hash value, then the random encryption factor sent by the private key authorizing device is received, the pseudo private key package is generated based on the first encryption factor, the random encryption factor and the hardware code, and the corresponding private key for signing can be determined through the pseudo private key package. In this way, the security risk of human intervention can be avoided, thereby preventing the disclosure of the private key.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
FIG. 1 illustrates a private key protection method flow diagram for a signature service in accordance with an aspect of the subject application;
FIG. 2 illustrates a flow chart of a private key resolution method for signature services provided in accordance with another aspect of the subject application;
fig. 3 shows a flow chart of a private key protection and resolution method for signature service according to a preferred embodiment of the present application.
The same or similar reference numbers in the drawings refer to the same or similar parts.
Detailed Description
The invention is described in further detail below with reference to the accompanying drawings.
In one typical configuration of the present application, the terminal, the device of the service network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer readable media, as defined herein, does not include non-transitory computer readable media (transmission media), such as modulated data signals and carrier waves.
In order to further describe the technical means and effects adopted by the present application, the following description will be made in detail and complete with reference to the accompanying drawings and preferred embodiments.
Fig. 1 shows a flow chart of a private key protection method for a signing service between a private key management device 1, a signing service device 2 and a private key authority 3 provided according to one aspect of the present application. The private key management device 1, the signature service device 2 and the private key authorization device 3 cooperate with each other to realize private key protection for signature service. The method comprises the following steps:
s11, private key management equipment 1 acquires a hardware code ciphertext sent by signature service equipment 2, wherein the hardware code ciphertext is determined by the signature service equipment 2 after encrypting a hardware code based on a first encryption factor;
s12, the private key management equipment 1 decrypts the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and obtains a hardware code hash value corresponding to the hardware code;
s13, the private key management device 1 sends the hardware code hash value to the private key authorization device 3 so that the private key authorization device generates a corresponding random encryption factor based on the hardware code hash value, and correspondingly, the private key authorization device 3 receives the hardware code hash value sent by the private key management device 1;
s14, the private key authorizing device 3 binds the randomly generated random encryption factor with the hardware code hash value;
s15, the private key authorizing device 3 sends the random encryption factor to the private key managing device 1 so that the private key managing device 1 generates a pseudo private key package based on the random encryption factor, a first encryption factor and a hardware code, wherein a corresponding private key for signing can be determined through the pseudo private key package, and accordingly, the private key managing device 1 receives the random encryption factor sent by the private key authorizing device;
s16 the private key management apparatus 1 generates a pseudo private key package based on the first encryption factor, the random encryption factor and the hardware code, wherein a corresponding private key for signing can be determined by the pseudo private key package.
In this embodiment, in the step S11, the private key management device 1 acquires a hardware code ciphertext transmitted by the signature service device 2, where the hardware code ciphertext is determined by encrypting a hardware code, where the hardware code represents a unique identifier of a device, for example, the hardware code is a device identification code of the signature service device 2, and the signature service device 2 determines the hardware code ciphertext by encrypting the hardware code based on a first encryption factor. Here, the first encryption factor includes an encryption factor preset at the signing service device 2 side, and is used for encrypting a hardware code. Here, the transmission security of the hardware code can be ensured by encryption.
In this embodiment, in step S12, the private key management apparatus 1 decrypts the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and obtains a hardware code hash value corresponding to the hardware code. Here, the private key management device 1 and the signature service device 2 may synchronize with a first encryption factor based on a preset encryption rule, so that the private key management device 1 may locally obtain the first encryption factor to decrypt the hardware code ciphertext, thereby obtaining the hardware code, and further obtain a hardware code hash value corresponding to the hardware code.
Continuing with this embodiment, in step S13, the private key management device 1 sends the hardware code hash value to the private key authority device 3, so that the private key authority device generates a corresponding random encryption factor based on the hardware code hash value, and accordingly, the private key authority device 3 receives the hardware code hash value sent by the private key management device 1.
Wherein the sending the hardware code hash value to the private key authorizing device 3, so that the private key authorizing device generates a corresponding random encryption factor based on the hardware code hash value includes:
and sending the hardware code hash value and the manager authorization code to the private key authorization device 3, so that the private key authorization device 3 verifies based on the manager authorization code and generates a corresponding random encryption factor based on the hardware code hash value after verification is passed. Accordingly, the private key authorizing device 3 receives the hardware code hash value and the administrator authorizing code sent by the private key managing device, and performs verification based on the administrator authorizing code.
In this embodiment, to further ensure security, the administrator authorization code is sent to the private key authorization device 3 together for verification, and the private key authorization device 3 generates the random encryption factor randomly after the verification is passed.
Continuing in this embodiment, in said step 14, the private key authority 3 binds the randomly generated random encryption factor with said hardware code hash value. Here, the random encryption factor is bound to the hardware code hash value for facilitating subsequent decryption.
Continuing with this embodiment, in the step S15, the private key authority 3 transmits the random encryption factor to the private key management device 1, so that the private key management device 1 generates a pseudo private key packet based on the random encryption factor, the first encryption factor, and the hardware code, and accordingly, the private key management device 1 receives the random encryption factor transmitted by the private key authority 3.
Continuing with this embodiment, in said step S16, said private key management device 1 generates a pseudo private key package based on said first encryption factor, random encryption factor and said hardware code, wherein a corresponding private key for signing is determinable from said pseudo private key package.
Preferably, the generating unit generates a pseudo-private key packet based on the first encryption factor, a random encryption factor, and the hardware code:
s161 (not shown) aggregating the first encryption factor, the random encryption factor, and the hardware code to generate an encryption key of a signature private key package;
s162 (not shown) generates a plurality of private keys based on a preset rule using a pseudo random seed based on the encryption key;
s163 (not shown) generates a pseudo-private key package based on the pseudo-random seed corresponding to the plurality of private keys, the public key of the private key, and a preset rule.
In this way, the pseudo private key packet does not directly contain the corresponding private key, so that the security in private key transmission is improved.
Fig. 2 shows a private key parsing method for signature service at a signature service device 2 according to another aspect of the present application, where the method includes:
s21, a pseudo private key packet for determining a private key and an operation and maintenance personnel authorization code are obtained, wherein the pseudo private key packet is generated based on a local first encryption factor, a random encryption factor generated by private key authorization equipment and a local hardware code;
s22, after the authorization code of the operation and maintenance personnel passes verification, a hardware code hash value corresponding to the hardware code is obtained;
s23, acquiring a corresponding random encryption factor from the private key authorization device based on the hardware code hash value, wherein the private key authorization device stores the corresponding relation between the hardware code hash value and the random encryption factor;
s24, the first encryption factor, the random encryption factor and the hardware code are aggregated to decrypt the pseudo private key package, so that a private key for signing service is determined through the pseudo private key package.
In this embodiment, when the private key for the signature service needs to be acquired, in the step S21, the signature service device 2 acquires a pseudo-private key package for determining the private key, where the pseudo-private key package is generated based on the method as described in fig. 1, that is, based on the local first encryption factor, the random encryption factor generated by the private key authorizing device, and the local hardware code, and the operation attendant authorization code.
The security is further improved by verifying the authorization code of the operation and maintenance personnel, and when the verification is passed, in the step S22, the signature service apparatus 2 obtains the hardware code hash value corresponding to the hardware code, specifically, firstly, the hardware code corresponding to the signature service apparatus 2 is obtained locally, and further, the hardware code is converted into the hardware code hash value.
In this embodiment, in step S23, a corresponding random encryption factor is obtained from the private key authority apparatus 3 based on the hardware code hash value, where the private key authority apparatus stores a correspondence between the hardware code hash value and the random encryption factor, so that the random encryption factor can be determined by the hardware code hash value based on the correspondence.
Continuing in this embodiment, in said step S24, said first encryption factor, random encryption factor, and hardware code are aggregated to decrypt said pseudo-private key package to determine a private key for signing services from said pseudo-private key package.
Since the generation of the pseudo private key package is determined by the first encryption factor, the random encryption factor and the hardware code, when the pseudo private key package is decrypted, the pseudo private key package can be decrypted by acquiring the first encryption factor, the random encryption factor and the hardware code, so that the corresponding private key for signature service is determined.
Fig. 3 shows a flow chart of a private key protection and resolution method for signature service according to a preferred embodiment of the present application. The signature service component corresponds to the signature service device 2, the private key authorization service component corresponds to the private key authorization device 3, and the private key management tool corresponds to the private key management device 1. Where cf1 corresponds to a first encryption factor, cf2 corresponds to a random encryption factor, the machine-code corresponds to a hardware code, and fkp corresponds to a pseudo-private key package. Steps 1 to 16 are combined to generate fkp through the signature service component, the private key authorization service component and the private key management tool, and steps 18 to 26 are performed by acquiring fkp the private key carried by the signature service component.
Compared with the prior art, the method and the device have the advantages that the hardware code ciphertext sent by the signature service device is obtained, the hardware code ciphertext is determined after the hardware code is encrypted by the signature service device based on a first encryption factor, the corresponding hardware code is determined through decryption of the hardware code ciphertext based on the first encryption factor, the hardware code hash value corresponding to the hardware code is obtained, the hardware code hash value is sent to the private key authorizing device, the private key authorizing device is enabled to generate the corresponding random encryption factor based on the hardware code hash value, then the random encryption factor sent by the private key authorizing device is received, the pseudo private key package is generated based on the first encryption factor, the random encryption factor and the hardware code, and the corresponding private key for signing can be determined through the pseudo private key package. In this way, the security risk of human intervention can be avoided, thereby preventing the disclosure of the private key.
Furthermore, embodiments of the present application provide a computer readable medium having stored thereon computer readable instructions executable by a processor to implement the foregoing method.
The embodiment of the application also provides a private key protection management device for signature service, wherein the device comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the aforementioned method.
For example, computer-readable instructions, when executed, cause the one or more processors to: acquiring a hardware code ciphertext sent by signature service equipment, wherein the hardware code ciphertext is determined by the signature service equipment after encrypting a hardware code based on a first encryption factor; decrypting the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and acquiring a hardware code hash value corresponding to the hardware code; transmitting the hardware code hash value to private key authorization equipment so that the private key authorization equipment generates a corresponding random encryption factor based on the hardware code hash value; and receiving the random encryption factor sent by the private key authorization equipment, and generating a pseudo private key package based on the first encryption factor, the random encryption factor and the hardware code, wherein a corresponding private key for signing can be determined through the pseudo private key package.
In addition, the embodiment of the application also provides private key protection authorization equipment for signature service, wherein the equipment comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the aforementioned method.
For example, computer-readable instructions, when executed, cause the one or more processors to: receiving a hardware code hash value sent by private key management equipment, wherein the hardware code hash value is determined after the private key management equipment decrypts a hardware code ciphertext based on a first encryption factor; binding the randomly generated random encryption factor with the hardware code hash value; and sending the random encryption factor to the private key management device so that the private key management device generates a pseudo private key package based on the random encryption factor, the first encryption factor and the hardware code, wherein a corresponding private key for signing can be determined through the pseudo private key package.
In addition, the embodiment of the application also provides private key analysis equipment for signature service, wherein the equipment comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the aforementioned method.
For example, computer-readable instructions, when executed, cause the one or more processors to: acquiring a pseudo private key packet for determining a private key and an authorization code of an operation and maintenance person, wherein the pseudo private key packet is generated based on a local first encryption factor, a random encryption factor generated by private key authorization equipment and a local hardware code; when the authorization code of the operation and maintenance personnel passes the verification, a hardware code hash value corresponding to the hardware code is obtained; acquiring a corresponding random encryption factor from the private key authorization device based on the hardware code hash value, wherein the private key authorization device stores the corresponding relation between the hardware code hash value and the random encryption factor; aggregating the first encryption factor, random encryption factor, and hardware code to decrypt the pseudo-private key package to determine a private key for signing services from the pseudo-private key package.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. A plurality of units or means recited in the apparatus claims can also be implemented by means of one unit or means in software or hardware. The terms first, second, etc. are used to denote a name, but not any particular order.
Claims (9)
1. A private key protection method for signature service at a private key management device, wherein the method comprises:
acquiring a hardware code ciphertext sent by signature service equipment, wherein the hardware code ciphertext is determined by the signature service equipment after encrypting a hardware code based on a first encryption factor;
decrypting the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, and acquiring a hardware code hash value corresponding to the hardware code;
transmitting the hardware code hash value to private key authorization equipment so that the private key authorization equipment generates a corresponding random encryption factor based on the hardware code hash value;
receiving a random encryption factor sent by the private key authorization equipment, and generating a pseudo private key package based on the first encryption factor, the random encryption factor and the hardware code, wherein a corresponding private key for signing can be determined through the pseudo private key package;
wherein the generating a pseudo-private key package based on the first encryption factor, the random encryption factor, and the hardware code comprises:
aggregating the first encryption factor, the random encryption factor and the hardware code to generate an encryption key of a signature private key package;
generating a plurality of private keys based on a preset rule by using a pseudo-random seed based on the encryption key;
and generating a pseudo private key package based on the pseudo random seeds corresponding to the plurality of private keys, the public keys of the private keys and preset rules.
2. The method of claim 1, wherein the sending the hardware code hash value to a private key authorization device comprises:
and sending the hardware code hash value and the manager authorization code to private key authorization equipment so that the private key authorization equipment can verify based on the manager authorization code and generate a corresponding random encryption factor based on the hardware code hash value after verification is passed.
3. A private key protection method for signature service at a private key authorizing device side, wherein the method comprises:
receiving a hardware code hash value sent by a private key management device, wherein the hardware code hash value is determined after the private key management device decrypts a hardware code ciphertext based on a first encryption factor, and the hardware code ciphertext is determined after the private key management device obtains the hardware code sent by a signature service device and encrypts the hardware code based on the first encryption factor through the signature service device;
binding the randomly generated random encryption factor with the hardware code hash value;
transmitting the random encryption factor to the private key management device so that the private key management device generates a pseudo private key package based on the random encryption factor, a first encryption factor and a hardware code, wherein a corresponding private key for signing can be determined through the pseudo private key package;
wherein the generating a pseudo-private key package based on the random encryption factor, the first encryption factor, and the hardware code comprises:
aggregating the first encryption factor, the random encryption factor and the hardware code to generate an encryption key of a signature private key package;
generating a plurality of private keys based on a preset rule by using a pseudo-random seed based on the encryption key;
and generating a pseudo private key package based on the pseudo random seeds corresponding to the plurality of private keys, the public keys of the private keys and preset rules.
4. The method of claim 3, wherein the receiving the hardware code hash value transmitted by the private key management device comprises:
receiving a hardware code hash value sent by private key management equipment and an administrator authorization code;
wherein the method further comprises:
verifying based on the administrator authorization code, wherein the binding the randomly generated random encryption factor with the hardware code hash value includes:
when verification passes, the random encryption factor generated randomly is bound with the hash value of the hardware code.
5. A private key resolution method for signature service at a signature service device, wherein the method comprises:
the method comprises the steps that a hardware code ciphertext is sent to a private key management device, wherein the hardware code ciphertext is determined after the hardware code is encrypted by a signature service device based on a first encryption factor, the private key management device decrypts the hardware code ciphertext based on the first encryption factor to determine the corresponding hardware code, a hardware code hash value corresponding to the hardware code is obtained, and the private key management device sends the hardware code hash value to a private key authorization device, so that the private key management device enables the hardware code to generate a pseudo private key package based on the first encryption factor and a random encryption factor, and a corresponding private key for signing can be determined through the pseudo private key package;
the signature service equipment acquires a pseudo private key packet for determining a private key and an operation and maintenance personnel authorization code, wherein the pseudo private key packet is generated based on a local first encryption factor, a random encryption factor generated by the private key authorization equipment and a local hardware code;
when the authorization code of the operation and maintenance personnel passes the verification, a hardware code hash value corresponding to the hardware code is obtained;
acquiring a corresponding random encryption factor from the private key authorization device based on the hardware code hash value, wherein the private key authorization device stores the corresponding relation between the hardware code hash value and the random encryption factor;
aggregating the first encryption factor, random encryption factor, and hardware code to decrypt the pseudo-private key package to determine a private key for signing service from the pseudo-private key package;
the pseudo private key package is based on a local first encryption factor, a random encryption factor generated by private key authorizing equipment and a local hardware code generation, and comprises the following steps:
aggregating the first encryption factor, the random encryption factor and the hardware code to generate an encryption key of a signature private key package;
generating a plurality of private keys based on a preset rule by using a pseudo-random seed based on the encryption key;
and generating a pseudo private key package based on the pseudo random seeds corresponding to the plurality of private keys, the public keys of the private keys and preset rules.
6. A computer readable medium having stored thereon computer readable instructions executable by a processor to implement the method of any of claims 1 to 5.
7. A private key protection management apparatus for a signature service, wherein the apparatus comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of any one of claims 1 to 2.
8. A private key protection authorization device for a signing service, wherein the device comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of claim 3 or 4.
9. A private key resolution device for a signature service, wherein the device comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of claim 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210146909.2A CN114499888B (en) | 2022-02-17 | 2022-02-17 | Private key protection and analysis method and device for signature service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210146909.2A CN114499888B (en) | 2022-02-17 | 2022-02-17 | Private key protection and analysis method and device for signature service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114499888A CN114499888A (en) | 2022-05-13 |
| CN114499888B true CN114499888B (en) | 2024-02-02 |
Family
ID=81483290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210146909.2A Active CN114499888B (en) | 2022-02-17 | 2022-02-17 | Private key protection and analysis method and device for signature service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114499888B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070019790A (en) * | 2004-07-14 | 2007-02-15 | 인텔 코오퍼레이션 | Method of delivering direct proof private keys in signed groups to devices using a distribution cd |
| CN109697603A (en) * | 2018-12-27 | 2019-04-30 | 中国移动通信集团江苏有限公司 | Guard method, device, equipment and the medium of E-seal |
| KR20190097998A (en) * | 2018-02-12 | 2019-08-21 | 주식회사 한컴위드 | User authentication apparatus supporting secure storage of private key and operating method thereof |
| CN111611552A (en) * | 2020-05-21 | 2020-09-01 | 浩云科技股份有限公司 | License authorization method and device based on combination of software and hardware |
| CN112765626A (en) * | 2021-01-21 | 2021-05-07 | 北京数字认证股份有限公司 | Authorization signature method, device and system based on escrow key and storage medium |
| WO2021238954A1 (en) * | 2020-05-27 | 2021-12-02 | 支付宝(杭州)信息技术有限公司 | Installation management of applet applications |
| WO2021244447A1 (en) * | 2020-05-30 | 2021-12-09 | 华为技术有限公司 | Information protection method and system, and communication apparatus |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10938560B2 (en) * | 2017-06-21 | 2021-03-02 | Microsoft Technology Licensing, Llc | Authorization key escrow |
-
2022
- 2022-02-17 CN CN202210146909.2A patent/CN114499888B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070019790A (en) * | 2004-07-14 | 2007-02-15 | 인텔 코오퍼레이션 | Method of delivering direct proof private keys in signed groups to devices using a distribution cd |
| KR20190097998A (en) * | 2018-02-12 | 2019-08-21 | 주식회사 한컴위드 | User authentication apparatus supporting secure storage of private key and operating method thereof |
| CN109697603A (en) * | 2018-12-27 | 2019-04-30 | 中国移动通信集团江苏有限公司 | Guard method, device, equipment and the medium of E-seal |
| CN111611552A (en) * | 2020-05-21 | 2020-09-01 | 浩云科技股份有限公司 | License authorization method and device based on combination of software and hardware |
| WO2021238954A1 (en) * | 2020-05-27 | 2021-12-02 | 支付宝(杭州)信息技术有限公司 | Installation management of applet applications |
| WO2021244447A1 (en) * | 2020-05-30 | 2021-12-09 | 华为技术有限公司 | Information protection method and system, and communication apparatus |
| CN112765626A (en) * | 2021-01-21 | 2021-05-07 | 北京数字认证股份有限公司 | Authorization signature method, device and system based on escrow key and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114499888A (en) | 2022-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Barsoum et al. | Enabling dynamic data and indirect mutual trust for cloud computing storage systems | |
| US6516413B1 (en) | Apparatus and method for user authentication | |
| CN102077213B (en) | Techniques for ensuring authentication and integrity of communications | |
| KR101371608B1 (en) | Database Management System and Encrypting Method thereof | |
| US8396218B2 (en) | Cryptographic module distribution system, apparatus, and program | |
| US10528751B2 (en) | Secure and efficient cloud storage with retrievability guarantees | |
| CN109728914B (en) | Digital signature verification method, system, device and computer readable storage medium | |
| US20060095769A1 (en) | System and method for initializing operation for an information security operation | |
| US20100005318A1 (en) | Process for securing data in a storage unit | |
| CN109067814B (en) | Media data encryption method, system, device and storage medium | |
| US20110258434A1 (en) | Online secure device provisioning with updated offline identity data generation and offline device binding | |
| US8799334B1 (en) | Remote verification of file protections for cloud data storage | |
| CN113497709A (en) | Trusted data source management method based on block chain, signature device and verification device | |
| US11258601B1 (en) | Systems and methods for distributed digital rights management with decentralized key management | |
| US8346742B1 (en) | Remote verification of file protections for cloud data storage | |
| Lee et al. | How to securely record logs based on ARM trustzone | |
| CN113886793A (en) | Device login method, device, electronic device, system and storage medium | |
| CN110807210B (en) | Information processing method, platform, system and computer storage medium | |
| CN111865869B (en) | Registration and authentication method and device based on random mapping, medium and electronic equipment | |
| CN114499888B (en) | Private key protection and analysis method and device for signature service | |
| JP4995667B2 (en) | Information processing apparatus, server apparatus, information processing program, and method | |
| KR20210058313A (en) | Data access control method and system using attribute-based password for secure and efficient data sharing in cloud environment | |
| CN116132041A (en) | Key processing method and device, storage medium and electronic equipment | |
| KR20200080011A (en) | System and method for distributing and storing data | |
| Bojanova et al. | Cryptography classes in bugs framework (BF): Encryption bugs (ENC), verification bugs (VRF), and key management bugs (KMN) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |