CN114510688A

CN114510688A - Equipment unlocking method and device, computer readable storage medium and electronic equipment

Info

Publication number: CN114510688A
Application number: CN202011284964.5A
Authority: CN
Inventors: 唐惠忠
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-11-17
Filing date: 2020-11-17
Publication date: 2022-05-17

Abstract

The application provides an equipment unlocking method, an equipment unlocking device, a computer readable storage medium and an electronic equipment; relates to the technical field of computers; the method comprises the following steps: after the current equipment is locked, reading key data which is stored in the current equipment in an encrypted manner, wherein the key data comprises an unlocking private key and an unlocking public key corresponding to the unlocking private key; receiving a locking key fed back by the key management platform, and decrypting key data through the locking key to obtain an unlocking private key and an unlocking public key; sending the unlocking private key to a verification server so that the verification server verifies the validity of the unlocking private key according to a prestored unlocking public key; and if the unlocking private key is verified to be legal, unlocking the current equipment according to the unlocking private key. Therefore, the time cost can be reduced and the unlocking efficiency can be improved.

Description

Equipment unlocking method and device, computer readable storage medium and electronic equipment

Technical Field

The present application relates to the field of data computing, and in particular, to an apparatus unlocking method, an apparatus unlocking device, a computer-readable storage medium, and an electronic apparatus.

Background

Generally, a terminal device (e.g., a mobile phone) is easy to fall off by a user and to be stolen during use, the terminal device is easy to be triggered to be locked after falling off, and the terminal device may be locked after being stolen because of forcible disassembly.

When the situation occurs, the terminal equipment generally needs to be returned to the factory, so that the terminal equipment refreshes the key in the safe environment, based on the situation, the original equipment information needs to be changed and re-registered as new equipment, and then the new equipment is sent to the user in a sending-back mode, otherwise, the user cannot normally use the terminal equipment. However, this tends to cause a problem of high time cost and low unlocking efficiency.

It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present application and therefore may include information that does not constitute prior art known to a person of ordinary skill in the art.

Disclosure of Invention

The application aims to provide an equipment unlocking method, an updating system of statistical analysis parameters, an equipment unlocking device, a computer readable storage medium and electronic equipment, which can reduce time cost and improve unlocking efficiency.

Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.

According to an aspect of the present application, there is provided a device unlocking method, including:

after the current equipment is locked, reading key data which is stored in the current equipment in an encrypted manner, wherein the key data comprises an unlocking private key and an unlocking public key corresponding to the unlocking private key;

receiving a locking key fed back by the key management platform, and decrypting key data through the locking key to obtain an unlocking private key and an unlocking public key;

sending the unlocking private key to a verification server so that the verification server verifies the validity of the unlocking private key according to a prestored unlocking public key;

and if the unlocking private key is verified to be legal, unlocking the current equipment according to the unlocking private key.

According to an aspect of the present application, a method for issuing a key is provided, including:

after the current equipment is locked, a locking key corresponding to the current equipment is fed back to the current equipment according to the operation request, so that the current equipment decrypts key data through the locking key to obtain an unlocking private key and an unlocking public key, the unlocking private key is further sent to the verification server, the verification server verifies the legality of the unlocking private key according to a pre-stored unlocking public key, and if the unlocking private key is verified to be legal, the current equipment is unlocked according to the unlocking private key.

According to an aspect of the present application, there is provided a key verification method, including:

after the current equipment is locked, receiving an unlocking private key sent by the current equipment, and verifying the validity of the unlocking private key according to a pre-stored unlocking public key; if the unlocking private key is verified to be legal, feeding back to the current equipment so that the current equipment can be unlocked according to the unlocking private key; the unlocking private key sent by the current equipment is obtained by decrypting key data through a locking key fed back by the key management platform.

According to an aspect of the present application, there is provided an apparatus unlocking device including:

the data reading unit is used for reading the key data which is stored in the current equipment in an encrypted manner after the current equipment is locked, wherein the key data comprises an unlocking private key and an unlocking public key corresponding to the unlocking private key;

the key decryption unit is used for receiving the locking key fed back by the key management platform and decrypting key data through the locking key to obtain an unlocking private key and an unlocking public key;

the validity verification unit is used for sending the unlocking private key to the verification server so that the verification server can verify the validity of the unlocking private key according to a pre-stored unlocking public key;

and the equipment unlocking unit is used for unlocking the current equipment according to the unlocking private key when the unlocking private key is verified to be legal.

In an exemplary embodiment of the present application, the apparatus further comprises:

before the key decryption unit receives the locking key fed back by the key management platform, when an unlocking permission request operation is detected, the key management platform responds to the unlocking permission request operation to verify the validity of the identity information corresponding to the operator;

and if the identity information is legal, the key management platform feeds back the locking key to the current equipment.

In an exemplary embodiment of the present application, the verifying the validity of the identity information corresponding to the operator by the key management platform responding to the unlocking authority request operation includes:

the key management platform reads an identity key corresponding to the unlocking permission request operation;

and if the identity key is a legal key, the key management platform judges that the identity information is legal.

In an exemplary embodiment of the present application, the key management platform feeds back the locking key to the current device, including:

the key management platform detects equipment information uploading operation and stores equipment information corresponding to the equipment information uploading operation;

the key management platform verifies the validity of the equipment information;

and if the equipment information is legal, the key management platform feeds back the locking key to the current equipment.

In an exemplary embodiment of the present application, the verifying the validity of the device information by the key management platform includes:

and the key management platform verifies whether the equipment information is matched with the current equipment, and if so, the equipment information is judged to be legal.

before the key management platform feeds back a locking key to the current equipment, the key management platform determines the state of the current equipment according to the equipment information;

and if the current equipment is in the state to be unlocked, the key management platform starts the unlocking function.

In an exemplary embodiment of the present application, the key decryption unit obtains the unlock private key and the unlock public key by locking the key decryption key data, including:

decrypting the locking key fed back by the key management platform to obtain a locking public key and a locking private key;

and decrypting the key data by the locking private key to obtain an unlocking private key and an unlocking public key.

In an exemplary embodiment of the present application, the decrypted key data further includes an apparatus private key, and the validity verifying unit sends the unlocking private key to the verification server, so that the verification server verifies validity of the unlocking private key according to a pre-stored unlocking public key, including:

signing the unlocking private key through the equipment private key to obtain a first reference unlocking private key;

sending the first reference unlocking private key to a verification server so that the verification server can verify the validity of the first reference unlocking private key and sign the first reference unlocking private key to obtain a second reference unlocking private key;

receiving a second reference unlocking private key fed back by the verification server, and verifying the validity of the second reference unlocking private key;

and if the second reference unlocking private key is legal, judging that the unlocking private key is legal.

In an exemplary embodiment of the present application, the decrypted key data further includes a device public key, where the device public key corresponds to the device private key, and the verifying server performs validity verification on the first reference unlocking private key, where the validity verification includes:

the verification server decrypts the first reference unlocking private key through the equipment public key;

and the verification server performs validity verification on the decrypted first reference unlocking private key according to the unlocking public key.

the key generation unit is used for generating an equipment public key and an equipment private key when the current equipment is in an un-unlocked state before the key decryption unit decrypts the key data by locking the key to obtain an unlocking private key and an unlocking public key;

the key sending unit is used for sending the equipment public key to the verification server, and receiving and storing a server public key which is fed back by the verification server and used for verifying the validity of the second reference unlocking private key; the decrypted key data further comprises a server public key.

and the locking unit is used for locking the current equipment when the protection circuit is detected to be in an open state.

In an exemplary embodiment of the present application, a locking unit locks a current device, including:

the lock key and the key data obtained by decryption of the lock key are deleted.

According to an aspect of the present application, there is provided an electronic device including: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to perform the method of any of the above via execution of the executable instructions.

According to an aspect of the application, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any one of the above.

According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations described above.

The exemplary embodiments of the present application may have some or all of the following advantages:

in the device unlocking method provided by an example embodiment of the present application, after the current device is locked, key data stored in encrypted form in the current device may be read, where the key data includes an unlocking private key and an unlocking public key corresponding to the unlocking private key; receiving a locking key fed back by the key management platform, and decrypting key data through the locking key to obtain an unlocking private key and an unlocking public key; the unlocking private key is sent to a verification server, so that the verification server verifies the validity of the unlocking private key according to a pre-stored unlocking public key; and if the unlocking private key is verified to be legal, unlocking the current equipment according to the unlocking private key. According to the scheme, on one hand, the current equipment can be unlocked through the remotely issued locking key, and the current equipment does not need to wait for several days in a mailing factory returning mode, so that the unlocking time cost can be reduced, and the unlocking efficiency can be improved. In another aspect of the present application, the key data may be decrypted by using a dynamically issued locking key, the validity of the private key is verified by using the verification server, and the current device is unlocked on the premise that the unlocking private key is in one-to-one correspondence with the current device (i.e., on the premise that the unlocking private key is valid), so that an illegal device may be prevented from pretending to be the current device and providing a verification result for the verification server when the verification server requests the verification server to provide a verification result indicating that the private key is valid, thereby improving the security of the current device unlocking process and ensuring the data security.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.

Fig. 1 is a schematic diagram illustrating an exemplary system architecture to which a device unlocking method and a device unlocking apparatus according to an embodiment of the present application may be applied;

FIG. 2 illustrates a schematic structural diagram of a computer system suitable for use in implementing an electronic device of an embodiment of the present application;

FIG. 3 schematically shows a flow chart of a device unlocking method according to an embodiment of the present application;

FIG. 4 schematically shows a flow chart of a device unlocking method according to an embodiment of the present application;

FIG. 5 schematically shows a block diagram of a device unlocking system according to an embodiment of the present application;

FIG. 6 schematically illustrates a block interaction diagram of a current device with a verification server, according to one embodiment of the present application;

FIG. 7 schematically illustrates a hardware block diagram of a present device in one embodiment according to the present application;

FIG. 8 schematically illustrates a functional block diagram of a present device in one embodiment according to the present application;

fig. 9 schematically shows a block diagram of a device unlocking apparatus in an embodiment according to the present application.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the subject matter of the present application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present application.

Furthermore, the drawings are merely schematic illustrations of the present application and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

Fig. 1 is a schematic diagram illustrating a system architecture of an exemplary application environment to which a device unlocking method and a device unlocking apparatus according to an embodiment of the present application may be applied.

As shown in fig. 1, the system architecture 100 may include one or more of

terminal devices

101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the

terminal devices

101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few. The

terminal devices

101, 102, 103 may be various electronic devices having a display screen, including but not limited to desktop computers, portable computers, smart phones, tablet computers, and the like. It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. For example, server 105 may be a server cluster comprised of multiple servers, or the like.

The device unlocking method provided by the embodiment of the application is generally executed by the server 105, and accordingly, the device unlocking apparatus is generally disposed in the server 105. However, it is easily understood by those skilled in the art that the device unlocking method provided in the embodiment of the present application may also be executed by the

terminal device

101, 102, or 103, and correspondingly, the device unlocking apparatus may also be disposed in the

terminal device

101, 102, or 103, which is not particularly limited in this exemplary embodiment. For example, in an exemplary embodiment, the

terminal device

101, 102, or 103 may read key data stored in encrypted form in the current device after the current device is locked, where the key data includes an unlocking private key and an unlocking public key corresponding to the unlocking private key; receiving a locking key fed back by the key management platform, and decrypting key data through the locking key to obtain an unlocking private key and an unlocking public key; the unlocking private key is sent to a verification server, so that the verification server verifies the validity of the unlocking private key according to a pre-stored unlocking public key; and if the unlocking private key is verified to be legal, unlocking the current equipment according to the unlocking private key.

FIG. 2 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.

It should be noted that the computer system 200 of the electronic device shown in fig. 2 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.

As shown in fig. 2, the computer system 200 includes a Central Processing Unit (CPU)201 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)202 or a program loaded from a storage section 208 into a Random Access Memory (RAM) 203. In the RAM 203, various programs and data necessary for system operation are also stored. The CPU 201, ROM 202, and RAM 203 are connected to each other via a bus 204. An input/output (I/O) interface 205 is also connected to bus 204.

The following components are connected to the I/O interface 205: an input portion 206 including a keyboard, a mouse, and the like; an output section 207 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 208 including a hard disk and the like; and a communication section 209 including a network interface card such as a LAN card, a modem, or the like. The communication section 209 performs communication processing via a network such as the internet. A drive 210 is also connected to the I/O interface 205 as needed. A removable medium 211, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is mounted on the drive 210 as necessary, so that a computer program read out therefrom is installed into the storage section 208 as necessary.

In particular, the processes described below with reference to the flow diagrams may be implemented as computer software programs, according to embodiments of the application. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 209 and/or installed from the removable medium 211. The computer program, when executed by a Central Processing Unit (CPU)201, performs various functions defined in the methods and apparatus of the present application.

In the existing scheme, the maintenance of the terminal equipment needs to be carried out in an equipment factory, the firmware and the key burning of the SE during the return working time also need to be finished in the factory safety environment of each equipment manufacturer, the requirement on the production environment of the equipment manufacturer is high, the production cost is increased, and the platform popularization is inconvenient. Considering that a traditional financial terminal (e.g., a POS machine) is used to secure a transaction, a secure authenticated SE chip is usually added to encrypt transaction information. The SE chip can store encrypted keys, the SE can detect and lock the equipment in time when the equipment is dismantled by matching with the dismantling prevention circuit and the dismantling prevention structure, and the key data in the SE can be erased, so that the safety of the equipment is protected. The applicant has appreciated that a device unlocking method may be developed in conjunction with the characteristics of the SE.

The example embodiment provides a device unlocking method. The device unlocking method may be applied to the server 105, and may also be applied to one or more of the

terminal devices

101, 102, and 103, which is not particularly limited in this exemplary embodiment. Referring to fig. 3, the device unlocking method may include the following steps S310 to S340:

step S310: after the current device is locked, key data stored in the current device in an encrypted mode are read, and the key data comprise an unlocking private key and an unlocking public key corresponding to the unlocking private key.

Step S320: and decrypting the key data through the locking key fed back by the key management platform, wherein the decrypted key data comprises an unlocking private key and an unlocking public key.

Step S330: and sending the unlocking private key to a verification server so that the verification server verifies the validity of the unlocking private key according to a pre-stored unlocking public key.

Step S340: and if the unlocking private key is verified to be legal, unlocking the current equipment according to the unlocking private key.

By implementing the method shown in fig. 3, the current device can be unlocked through the remotely issued locking key without waiting for several days in a mailing mode to return to the factory, so that the time cost of unlocking can be reduced and the unlocking efficiency can be improved. And the key data can be decrypted by the dynamically issued locking key, the validity of the private key is verified by the verification server, the current equipment is unlocked under the premise that the unlocking private key is in one-to-one correspondence with the current equipment (namely, under the premise that the unlocking private key is legal), so that the condition that the illegal equipment pretends to be the current equipment and provides the verification result for the verification server when the verification server gives the verification result indicating that the private key is legal can be avoided, the safety of the unlocking process of the current equipment is improved, and the data safety is guaranteed.

The above steps of the present exemplary embodiment will be described in more detail below.

In step S310, after the current device is locked, key data stored encrypted in the current device is read, where the key data includes an unlocking private key and an unlocking public key corresponding to the unlocking private key.

As an alternative embodiment, the method further comprises: and if the protection circuit is detected to be in an open state, locking the current equipment.

Specifically, after locking the current device, the method may further include: sending an unlocking request to a key management platform to enable the key management platform to output prompt information for indicating that the current equipment needs to be unlocked; or sending information for indicating that the current equipment is to be unlocked to an operator terminal, so that the operator can know the information to be unlocked in time and unlock the equipment in time. Based on this, before sending an unlocking request to the key management platform or sending information indicating that the current device is to be unlocked to the operator terminal, the method may further include: starting all cameras, acquiring current images and synthesizing environment images according to the current images; performing face recognition on the environment image, and if the face features exist, recognizing whether the current user corresponding to the face features is a legal user; and if the equipment is a legal user, sending an unlocking request to the key management platform or sending information for indicating that the current equipment is to be unlocked to the operator terminal. Based on this, after the current user corresponding to the face feature is identified as a valid user, the method may further include: the method comprises the steps of detecting a preset unlocking gesture or a preset unlocking expression through a camera, and when the preset unlocking gesture or the preset unlocking expression is detected, executing to send an unlocking request to a key management platform or send information for indicating that current equipment is to be unlocked to an operator terminal. Therefore, the unlocking request is sent by a legal user instead of an illegal user, and the security of the key in the current equipment is improved.

Therefore, by implementing the optional embodiment, the current device can be locked in time after the protection circuit is disconnected, so that the safety of the key stored in the current device is ensured, and the safety of the device can be improved.

As an alternative embodiment, locking the current device comprises: the lock key and the key data obtained by decryption of the lock key are deleted.

It should be noted that only the decrypted key data is deleted, and the encrypted key data is not deleted, so that the remotely issued locking key can be received and then the encrypted key data can be unlocked. In addition, after deleting the locking key, the method further comprises: the data in the preset storage area is subjected to Hash encryption, so that the key data can be prevented from being cracked, and the safety of the data is further influenced.

Therefore, by implementing the optional embodiment, the data security in the current device can be ensured by deleting the locking key and the key data, and the data in the current device is prevented from being stolen or maliciously tampered.

In step S320, a locking key fed back by the key management platform is received, and the key data is decrypted by the locking key to obtain the unlocking private key and the unlocking public key.

As an optional embodiment, before receiving the locking key fed back by the key management platform, the method further includes: when the unlocking permission request operation is detected, the key management platform responds to the unlocking permission request operation to verify the validity of the identity information corresponding to the operator; and if the identity information is legal, the key management platform feeds back the locking key to the current equipment.

Specifically, the unlocking permission request operation may be a user click operation, a user voice control operation, a user touch operation, or the like acting on the key management platform, and an operator may log in the key management platform through the unlocking permission request operation. In addition, the method for verifying the validity of the identity information corresponding to the operator may be as follows: verifying whether the authorization code is correct, and if so, judging that the identity information corresponding to the operator is legal; wherein the authorization code may be represented by a string of characters.

Therefore, by implementing the optional embodiment, the identity validity of the operator can be verified, the unlocking safety of the equipment is improved, and the illegal operator is prevented from issuing the locking key through the key management platform.

As an optional embodiment, the verifying, by the key management platform, the validity of the identity information corresponding to the operator in response to the request for unlocking authority includes: the key management platform reads an identity key corresponding to the unlocking permission request operation; and if the identity key is a legal key, the key management platform judges that the identity information is legal.

In particular, the identity key may be the authorization code described above. In addition, if the identity key is a legal key, the method may further include: and the key management platform identifies facial features of the operator, judges whether the operator has unlocking authority or not according to the identification result, and if so, executes the judgment that the identity information is legal.

Therefore, by implementing the optional embodiment, the data security can be improved through the identity authentication of the operator, and the locking key is fed back to the current equipment only when the identity of the operator is legal, so that the user data can be prevented from being maliciously stolen through the guarantee of the key security.

As an alternative embodiment, the key management platform feeds back the locking key to the current device, including: the key management platform detects equipment information uploading operation and stores equipment information corresponding to the equipment information uploading operation; the key management platform verifies the validity of the equipment information; and if the equipment information is legal, the key management platform feeds back the locking key to the current equipment.

Specifically, the device information may include device manufacturer information (e.g., a device manufacturer unique identifier), a device unique identifier, and the like. If the device information is not legal, a prompt message indicating that the request has failed is output.

Therefore, by implementing the optional embodiment, the locking key for unlocking key data can be fed back to the current device under the condition that the device for unlocking which is applied by the operator is consistent with the current device, so that the key security can be improved.

As an alternative embodiment, the key management platform verifies the validity of the device information, including: and the key management platform verifies whether the equipment information is matched with the current equipment, and if so, the equipment information is judged to be legal.

Specifically, the way for the key management platform to verify whether the device information matches the current device may be: and the key management platform sends a verification request to the equipment unique identifier contained in the equipment information, and if a feedback message for responding to the verification request is received and the equipment unique identifier contained in the feedback message is consistent with the equipment unique identifier contained in the equipment information, the equipment information is judged to be matched with the current equipment. And if the equipment information does not match the current equipment, outputting a prompt message for indicating that the request fails.

Therefore, whether the equipment information is legal or not can be judged by implementing the optional embodiment, so that the locking key can be fed back under the legal condition, the current equipment can be unlocked remotely, and the unlocking convenience of the equipment is improved.

As an optional embodiment, before the key management platform feeds back the locking key to the current device, the method further includes: the key management platform determines the current equipment state according to the equipment information; and if the current equipment is in the state to be unlocked, the key management platform starts the unlocking function.

Specifically, the manner in which the key management platform determines the state of the current device according to the device information may be: the key management platform sends a state request to the current equipment, and if the state to be unlocked fed back by the current equipment is received, the unlocking starting function is executed; the number of times of realizing the unlocking function is N (such as 1), and N is a positive integer.

Therefore, by implementing the optional embodiment, the unlocking function can be started, and the locking key for decrypting the key data can be conveniently returned to the current device by the operator by starting the unlocking function.

As an alternative embodiment, decrypting the key data by the locking key to obtain the unlocking private key and the unlocking public key includes: decrypting the locking key fed back by the key management platform to obtain a locking public key and a locking private key; and decrypting the key data by using the locking private key to obtain the unlocking private key and the unlocking public key.

Specifically, the way of decrypting the locking key fed back by the key management platform may be: a Security Element (SE) in the current device decrypts a locking key fed back by the key management platform; the locking public key and the locking private key may be a pair of symmetric encryption keys or asymmetric encryption keys. Based on this, before decrypting the locking key fed back by the key management platform, the method may further include: and receiving a locking key which is encrypted according to a public key encryption algorithm (RSA), an asymmetric encryption algorithm (ECC) or a block encryption algorithm (such as AES, DES and 3DES) and fed back by the key management platform. In addition, after the key data is decrypted by locking the private key, the method may further include: storing the decrypted key data; wherein the key data comprises a plurality of keys for enabling a plurality of device functions.

Therefore, by implementing the optional embodiment, the key data can be decrypted through the dynamically sent locking key, so that the security of the key data can be ensured, and the data security is guaranteed.

In step S330, the unlocking private key is sent to the verification server, so that the verification server verifies the validity of the unlocking private key according to the pre-stored unlocking public key.

As an optional embodiment, the decrypted key data further includes a device private key, and the unlocking private key is sent to the verification server, so that the verification server verifies the validity of the unlocking private key according to a pre-stored unlocking public key, including: signing the unlocking private key through the equipment private key to obtain a first reference unlocking private key; sending the first reference unlocking private key to a verification server so that the verification server can verify the validity of the first reference unlocking private key and sign the first reference unlocking private key to obtain a second reference unlocking private key; receiving a second reference unlocking private key fed back by the verification server, and verifying the validity of the second reference unlocking private key; and if the second reference unlocking private key is legal, judging that the unlocking private key is legal.

Specifically, the way for the verification server to sign the first reference unlocking private key and obtain the second reference unlocking private key may be: the verification server signs the first reference unlocking private key through a server private key to obtain a second reference unlocking private key and sends the second reference unlocking private key to the current equipment; wherein the server private key corresponds to the server public key. Furthermore, the validity verification of the second reference unlocking private key comprises the following steps: the SE decrypts the second reference unlocking private key through a pre-stored server public key, if decryption is successful, the decrypted second reference unlocking private key and the unlocking private key are compared, and if the decryption is successful, the second reference unlocking private key is judged to be legal; and the decrypted second reference unlocking private key is the unlocking private key. In addition, if the verification server verifies that the first reference unlocking private key is illegal, the verification server judges that unlocking fails, and if the current equipment verifies that the second reference unlocking private key is illegal, the current equipment judges that unlocking fails.

Therefore, by implementing the optional embodiment, the equipment can be unlocked through the key data signature command under the condition that the identity of the operator is legal through the authorization and the authentication of the verification server, that is, the remote safe unlocking recovery can be realized, and the data safety in the current equipment is guaranteed.

As an optional embodiment, the decrypted key data further includes a device public key, where the device public key corresponds to the device private key, and the verifying server performs validity verification on the first reference unlocking private key, where the method includes: the verification server decrypts the first reference unlocking private key through the equipment public key; and the verification server performs validity verification on the decrypted first reference unlocking private key according to the unlocking public key.

Specifically, the verifying the validity of the decrypted first reference unlocking private key by the verifying server according to the unlocking public key includes: the verification server detects whether the unlocking public key is matched with the unlocking private key, and if so, the first reference unlocking private key is judged to be legal; and the decrypted first reference unlocking private key is the unlocking private key.

Therefore, by implementing the optional embodiment, the key data can be decrypted through the dynamically issued locking key, and the equipment is unlocked through the key data signature command between the equipment and the verification server, so that the data security is improved.

As an optional embodiment, before decrypting the key data by using the locking key to obtain the unlocking private key and the unlocking public key, the method further includes: when the current equipment is in an unlocked state, generating an equipment public key and an equipment private key; the equipment public key is sent to a verification server, and a server public key which is fed back by the verification server and is used for verifying the validity of the second reference unlocking private key is received and stored; the decrypted key data further comprises a server public key.

Specifically, the receiving and storing of the server public key fed back by the verification server for verifying the validity of the second reference unlocking private key includes: and receiving a server public key fed back by the verification server and used for verifying the validity of the second reference unlocking private key, encrypting and storing key data at least comprising the server public key, the equipment public key and the equipment private key, wherein the encrypted key data needs to be decrypted by a locking key issued dynamically. In addition, the device public key and the device private key correspond to each other.

Therefore, by implementing the optional embodiment, the key can be stored, so that unlocking verification can be conveniently performed when the device is locked, the current device is unlocked on the premise of data security, and the data security of a user is guaranteed.

In step S340, if it is verified that the unlocking private key is valid, the current device is unlocked according to the unlocking private key.

Specifically, unlocking the current device according to the unlocking private key includes: and recovering the application program use permission and the data calling permission of the current equipment according to the unlocking private key.

Referring to fig. 4, fig. 4 schematically illustrates a flow chart of a device unlocking method according to an embodiment of the present application. As shown in fig. 4, the device unlocking method includes: step S400 to step S470.

Step S400: and when the current equipment is in an un-unlocked state, generating an equipment public key and an equipment private key, sending the equipment public key to the verification server, and receiving and storing a server public key which is fed back by the verification server and used for verifying the validity of the second reference unlocking private key.

Step S410: and if the protection circuit is detected to be in the off state, deleting the locking key and the key data obtained by decrypting the locking key.

Step S420: when the unlocking permission request operation is detected, the key management platform reads the identity key corresponding to the unlocking permission request operation, and if the identity key is a legal key, the key management platform judges that the identity information is legal.

Step S430: and the key management platform detects the equipment information uploading operation, stores the equipment information corresponding to the equipment information uploading operation and verifies the legality of the equipment information.

Step S440: and if the equipment information is legal, the key management platform determines the state of the current equipment according to the equipment information, and if the current equipment is in the state to be unlocked, the unlocking function is started and the locking key is fed back to the current equipment.

Step S450: and decrypting the locking key fed back by the key management platform to obtain a locking public key and a locking private key, decrypting the key data through the locking private key, wherein the decrypted key data further comprises an equipment private key and an equipment public key.

Step S460: the method comprises the steps of signing an unlocking private key through an equipment private key to obtain a first reference unlocking private key, sending the first reference unlocking private key to a verification server so that the verification server can verify the validity of the first reference unlocking private key and sign the first reference unlocking private key to obtain a second reference unlocking private key, receiving the second reference unlocking private key fed back by the verification server, verifying the validity of the second reference unlocking private key, and judging that the unlocking private key is legal if the second reference unlocking private key is legal.

Step S470: and unlocking the current equipment according to the unlocking private key.

It can be seen that, by implementing the method shown in fig. 4, the current device can be unlocked through the remotely issued locking key without waiting for several days in a way of returning to the factory by mailing, so that the time cost of unlocking can be reduced and the unlocking efficiency can be improved. And the key data can be decrypted by the dynamically issued locking key, the validity of the private key is verified by the verification server, the current equipment is unlocked under the premise that the unlocking private key is in one-to-one correspondence with the current equipment (namely, under the premise that the unlocking private key is legal), so that the condition that the illegal equipment pretends to be the current equipment and provides the verification result for the verification server when the verification server gives the verification result indicating that the private key is legal can be avoided, the safety of the unlocking process of the current equipment is improved, and the data safety is guaranteed.

Referring to fig. 5, fig. 5 schematically shows a structure diagram of a device unlocking system according to an embodiment of the present application. As shown in fig. 5, the device unlocking system 500 includes: a key management platform 501, a verification server 503, and a current device 502; the current device 502 may be an electronic device such as a terminal or a server, and the embodiment of the present application is not limited thereto.

Specifically, the current device 502 encrypts the generated device public key and device private key and the server public key sent by the verification server 503 by using the lock key and then burns the encrypted device public key and the device private key, and when it is detected that the tamper-proof circuit is in a disconnected state, it is determined that the current device is disassembled and the lock key and the key data decrypted by the lock key are clear, but the encrypted key data is not deleted. Further, the operator may log in the key management platform 501 to request a device unlock right once when the identity information is legal, so as to send a lock key to the current device 502, so that the current device 502 decrypts encrypted key data according to the lock key.

Further, referring to fig. 6, fig. 6 schematically illustrates a module interaction diagram of a current device and an authentication server according to an embodiment of the present application. As shown in fig. 6, the present apparatus 610 includes: a tamper structure 611, a tamper circuit 612, a SE613, a Central Processing Unit (CPU) 614 (i.e., CPU614), and a camera 615. Authentication server 620 may include an unlocking back office 622 and an identity management back office 621.

The tamper structure 611 is connected to the tamper circuit 612, the SE613 is configured to detect a connection state of the tamper circuit 612, and if the tamper circuit 612 is in a disconnection state, it indicates that the current device is illegally disassembled (for example, the current device falls to cause disconnection of the tamper circuit). Furthermore, the CPU614 may trigger the start of the camera 615 according to the detected unlocking request, identify a face image therein through an environment image fed back by the camera 615, and if the face image matches a legitimate user, decrypt key data through a locking key fed back by the key management platform 630, and send an obtained unlocking private key after being signed by the device private key to the verification server 620.

The unlocking background 622 in the verification server 620 is used for verifying the validity of the unlocking private key through the device public key, so as to help to judge whether the sender is legal, if so, the validity of the unlocking private key can be verified through the unlocking public key, if the verification is successful, the unlocking private key is fed back to the current device 610 through the server private key, and the identity management background 621 is also used for unlocking the current device 610. The identity management background 621 in the verification server 620 is configured to perform validity verification on the information input by the operator and received by the key management platform 630, so as to implement validity verification on the operator.

It should be noted that SE is also called a security chip, which can guarantee data security inside the chip, and the added tamper structure 611 and tamper circuit 612 can detect that the current device is detached, and ensure that the device cannot be attacked by using the locking capability of the security chip. The SE includes security hardware and security software: the safety hardware comprises a safe operation environment, a safe storage, a safety algorithm, a safety interface and the like, and the safety software provides a safe interaction mechanism to ensure the interaction safety of commands and data between the SE and the upper computer. The safety functions of safety processing, safety calculation, safety storage and the like are carried out on the data based on the SE, and the functions of identity authentication, data transmission encryption, sensitive information protection and the like of the equipment can be realized. The security algorithm supported by the SE can comprise an international algorithm (RSA \ ECC \ DES \3DES \ AES \ SHA-n) and a national secret algorithm (SM1\ SM2\ SM3\ SM4\ SM9), and the security qualification of the SE comprises EAL4+, national secret second level and the like.

Referring to fig. 7, fig. 7 schematically illustrates a hardware structure of the present device in an embodiment according to the present application. As shown in fig. 7, the present device 700 may include: the system comprises a front screen 701, a host bracket 702, a protection steel sheet 703, a main board 704, a camera 705, a tamper point connection 706, a protection steel sheet 707, a main tamper circuit 708, a battery 709, a secondary tamper circuit 710 and a rear screen 711. Wherein, the front screen 701 is used for displaying a user interface; the protection steel sheet 703 and the protection steel sheet 707 are used for protecting the main anti-tamper circuit 708 and the auxiliary anti-tamper circuit 710, the main anti-tamper circuit 708 and the auxiliary anti-tamper circuit 710 can form the anti-tamper circuit 612, the main anti-tamper circuit 708 and the auxiliary anti-tamper circuit 710 can be applied to the current equipment 700 to form the anti-tamper structure 611, and the anti-tamper point connection 706 is used for fixing the main anti-tamper circuit 708 and the auxiliary anti-tamper circuit 710; the motherboard 704 may be provided with a CPU for data processing; the camera 705 is used for collecting images; battery 709 is used to provide power support; a secondary tamper circuit 710; both the front screen 701 and the rear screen 711 are used to protect other elements in the current device.

Referring to fig. 8, fig. 8 schematically illustrates a functional block diagram of a present device in accordance with an embodiment of the present application. As shown in fig. 8, the current device 800 may include: the system comprises a CPU801, a camera 802, a display unit 803, an SE804, a battery 805, a power management unit 806, an interface unit 807, an audio unit 808, a storage unit 809, a radio frequency unit 810, and a tamper circuit and tamper structure 811. The anti-tamper circuit and anti-tamper structure 811 is arranged in the current device 800 and can be used for protecting data security, and when the SE804 detects that the anti-tamper circuit is in an off state, the lock key and the decrypted key data can be cleared, so that the data is prevented from being stolen; battery 805 is used to provide power support for the current device 800; the power management unit 806 is used to provide power management functions; the interface unit 807 is used to identify external devices; the audio unit 808 is used to process audio signals; the radio frequency unit 810 is configured to receive and transmit base station signals; the storage unit 809 is used for storing data; the display unit 803 is used for providing an interface display function; the camera 802 is used for collecting images; the CPU801 is used to process data.

Further, in the present exemplary embodiment, an apparatus unlocking device is also provided. Referring to fig. 9, the device unlocking apparatus 900 may include:

a data reading unit 901, configured to read, after a current device is locked, key data stored in the current device in an encrypted manner, where the key data includes an unlocking private key and an unlocking public key corresponding to the unlocking private key;

the key decryption unit 902 is configured to receive the locking key fed back by the key management platform, and decrypt key data through the locking key to obtain an unlocking private key and an unlocking public key;

a validity verification unit 903, configured to send the unlocking private key to a verification server, so that the verification server verifies validity of the unlocking private key according to a pre-stored unlocking public key;

and the device unlocking unit 904 is configured to unlock the current device according to the unlocking private key when the unlocking private key is verified to be legal.

It can be seen that, with the device shown in fig. 9, the current device can be unlocked through the remotely issued locking key without waiting for several days in a mailing to the factory, so that the time cost of unlocking can be reduced and the unlocking efficiency can be improved. And the key data can be decrypted by the dynamically issued locking key, the validity of the private key is verified by the verification server, the current equipment is unlocked under the premise that the unlocking private key is in one-to-one correspondence with the current equipment (namely, under the premise that the unlocking private key is legal), so that the condition that the illegal equipment pretends to be the current equipment and provides the verification result for the verification server when the verification server gives the verification result indicating that the private key is legal can be avoided, the safety of the unlocking process of the current equipment is improved, and the data safety is guaranteed.

before the key decryption unit 902 receives the locking key fed back by the key management platform, when an unlocking permission request operation is detected, the key management platform responds to the unlocking permission request operation to verify the validity of the identity information corresponding to the operator;

In an exemplary embodiment of the present application, the verifying the validity of the identity information corresponding to the operator by the key management platform in response to the request for unlocking authority includes:

the key management platform verifies the validity of the equipment information;

and the key management platform verifies whether the equipment information is matched with the current equipment or not, and if so, judges that the equipment information is legal.

In an exemplary embodiment of the present application, the key decryption unit 902 obtains the unlock private key and the unlock public key by locking the key decryption key data, including:

In an exemplary embodiment of the present application, the decrypted key data further includes an apparatus private key, and the validity verifying unit 903 sends the unlocking private key to the verification server, so that the verification server verifies validity of the unlocking private key according to a pre-stored unlocking public key, including:

a key generation unit (not shown) configured to generate a device public key and a device private key when the current device is in an unlocked state before the key decryption unit 902 decrypts the key data by using the locking key to obtain the unlocking private key and the unlocking public key;

a key sending unit (not shown) configured to send the device public key to the verification server, and receive and store a server public key fed back by the verification server and used for verifying the validity of the second reference unlocking private key; the decrypted key data further comprises a server public key.

and a locking unit (not shown) for locking the current device when the protection circuit is detected to be in the open state.

It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.

As each functional module of the device unlocking apparatus of the exemplary embodiment of the present application corresponds to the step of the exemplary embodiment of the device unlocking method described above, please refer to the embodiment of the device unlocking method described above for details that are not disclosed in the embodiment of the device of the present application.

As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.

It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units described in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.

Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.

It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A method for unlocking a device, comprising:

after the current equipment is locked, reading key data stored in the current equipment in an encrypted manner, wherein the key data comprises an unlocking private key and an unlocking public key corresponding to the unlocking private key;

receiving a locking secret key fed back by a secret key management platform, and decrypting the secret key data through the locking secret key to obtain the unlocking private key and the unlocking public key;

sending the unlocking private key to a verification server so that the verification server verifies the validity of the unlocking private key according to the pre-stored unlocking public key;

2. The method of claim 1, wherein prior to receiving the locking key fed back by the key management platform, the method further comprises:

when an unlocking permission request operation is detected, the key management platform responds to the unlocking permission request operation to verify the validity of the identity information corresponding to the operator;

3. The method according to claim 2, wherein the operation of the key management platform responding to the unlocking authority request to verify the validity of the identity information corresponding to the operator comprises:

4. The method of claim 2, wherein the key management platform feeds back the locking key to the current device, comprising:

the key management platform verifies the validity of the equipment information;

5. The method of claim 4, wherein the key management platform verifies the validity of the device information, comprising:

6. The method of claim 4, wherein before the key management platform feeds back the locking key to the current device, the method further comprises:

the key management platform determines the state of the current equipment according to the equipment information;

and if the current equipment is in a state to be unlocked, the key management platform starts an unlocking function.

7. The method of claim 1, wherein decrypting the key data with the locking key to obtain the unlocking private key and the unlocking public key comprises:

decrypting the locking secret key fed back by the secret key management platform to obtain a locking public key and a locking private key;

and decrypting the key data through the locking private key to obtain the unlocking private key and the unlocking public key.

8. The method according to claim 7, wherein the decrypted key data further includes a device private key, and the sending of the unlocking private key to a verification server so that the verification server verifies validity of the unlocking private key according to the pre-stored unlocking public key includes:

sending the first reference unlocking private key to the verification server so that the verification server can verify the validity of the first reference unlocking private key and sign the first reference unlocking private key to obtain a second reference unlocking private key;

receiving the second reference unlocking private key fed back by the verification server, and performing validity verification on the second reference unlocking private key;

9. The method of claim 8, wherein the decrypted key data further comprises a device public key, wherein the device public key corresponds to the device private key, and wherein the verifying server performs validity verification on the first reference unlock private key, comprising:

the verification server decrypts the first reference unlocking private key through the device public key;

10. The method of claim 9, wherein before decrypting the key data with the locking key to obtain the unlocking private key and the unlocking public key, the method further comprises:

when the current equipment is in an unlocked state, generating the equipment public key and the equipment private key;

sending the equipment public key to the verification server, and receiving and storing a server public key which is fed back by the verification server and is used for verifying the validity of the second reference unlocking private key; wherein the decrypted key data further comprises the server public key.

11. The method of claim 1, further comprising:

and if the protection circuit is detected to be in the off state, locking the current equipment.

12. The method of claim 11, wherein locking the current device comprises:

deleting the locking key and the key data obtained by decrypting the locking key.

13. An apparatus unlocking device, characterized by comprising:

the data reading unit is used for reading key data which is stored in the current equipment in an encrypted manner after the current equipment is locked, wherein the key data comprises an unlocking private key and an unlocking public key corresponding to the unlocking private key;

the key decryption unit is used for receiving a locking key fed back by the key management platform and decrypting the key data through the locking key to obtain the unlocking private key and the unlocking public key;

the validity verification unit is used for sending the unlocking private key to a verification server so that the verification server verifies the validity of the unlocking private key according to the pre-stored unlocking public key;

14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1-12.

15. An electronic device, comprising:

a processor; and

a memory for storing executable instructions of the processor;

wherein the processor is configured to perform the method of any of claims 1-12 via execution of the executable instructions.