CN114553426B - Signature verification method, key management platform, security terminal and electronic equipment - Google Patents

Signature verification method, key management platform, security terminal and electronic equipment Download PDF

Info

Publication number
CN114553426B
CN114553426B CN202011344964.XA CN202011344964A CN114553426B CN 114553426 B CN114553426 B CN 114553426B CN 202011344964 A CN202011344964 A CN 202011344964A CN 114553426 B CN114553426 B CN 114553426B
Authority
CN
China
Prior art keywords
signature
key
data
management platform
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011344964.XA
Other languages
Chinese (zh)
Other versions
CN114553426A (en
Inventor
张星
韩宇龙
柳耀勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile IoT Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile IoT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile IoT Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202011344964.XA priority Critical patent/CN114553426B/en
Publication of CN114553426A publication Critical patent/CN114553426A/en
Application granted granted Critical
Publication of CN114553426B publication Critical patent/CN114553426B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a signature verification method, a key management platform, a security terminal and electronic equipment, wherein the method comprises the following steps: sending a first data writing instruction to a security terminal through a blockchain client; acquiring a first random number generated by the secure terminal in response to the first data writing instruction through the blockchain client; sending a second data writing instruction to the secure terminal through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated according to the first random number, and the ciphertext data is data obtained by encrypting target data; and acquiring a second signature generated by the secure terminal through the blockchain client, and verifying the second signature, wherein the second signature is generated by the secure terminal according to the second random number under the condition that the first signature passes verification. The application can improve the security of data.

Description

Signature verification method, key management platform, security terminal and electronic equipment
Technical Field
The present application relates to the field of blockchain technologies, and more particularly, to a signature verification method, a key management platform, a secure terminal, and an electronic device.
Background
In the blockchain system, each blockchain node realizes data transmission through address identification similar to an email address, meanwhile, a sender needs to sign sent data information during each data transmission, a receiver needs to check a signature after receiving the data information so as to prove the credibility of the data information and prevent the overflow of false data services, but public and private keys and other data are stored on the blockchain node, and the security of the data is lower.
Disclosure of Invention
The embodiment of the application provides a signature verification method, a key management platform, a security terminal and electronic equipment, which are used for solving the problem of low data security.
In a first aspect, an embodiment of the present application provides a signature verification method, applied to a key management platform, including:
sending a first data writing instruction to a security terminal through a blockchain client;
acquiring a first random number generated by the secure terminal in response to the first data writing instruction through the blockchain client;
Sending a second data writing instruction to the secure terminal through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated according to the first random number, and the ciphertext data is data obtained by encrypting target data;
and acquiring a second signature generated by the secure terminal through the blockchain client, and verifying the second signature, wherein the second signature is generated by the secure terminal according to the second random number under the condition that the first signature passes verification.
In a second aspect, an embodiment of the present application further provides a signature verification method, which is applied to a secure terminal, including:
receiving a first data writing instruction sent by a key management platform through a blockchain client;
generating a first random number in response to the first data writing instruction, and sending the first random number to the key management platform through the blockchain client;
receiving a second data writing instruction sent by the key management platform through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated by the key management platform according to the first random number, and the ciphertext data is data obtained by encrypting target data by the key management platform;
Verifying the first signature, writing the ciphertext data under the condition that the first signature passes verification, and generating a second signature according to the second random number;
and sending the second signature to the key management platform through the blockchain client.
In a third aspect, an embodiment of the present application further provides a key management platform, including:
the first sending module is used for sending a first data writing instruction to the security terminal through the blockchain client;
the first acquisition module is used for acquiring a first random number generated by the secure terminal in response to the first data writing instruction through the blockchain client;
the second sending module is used for sending a second data writing instruction to the secure terminal through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated according to the first random number, and the ciphertext data is data obtained by encrypting target data;
and the second acquisition module is used for acquiring a second signature generated by the secure terminal through the blockchain client and verifying the second signature, wherein the second signature is generated by the secure terminal according to the second random number under the condition that the first signature passes verification.
In a fourth aspect, an embodiment of the present application further provides a secure terminal, including:
the first sending module is used for receiving a first data writing instruction sent by the key management platform through the blockchain client;
the generation module is used for responding to the first data writing instruction to generate a first random number, and transmitting the first random number to the key management platform through the blockchain client;
the receiving module is used for receiving a second data writing instruction sent by the key management platform through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated by the key management platform according to the first random number, and the ciphertext data is data obtained by encrypting target data by the key management platform;
the verification module is used for verifying the first signature, writing the ciphertext data in the case that the first signature passes verification, and generating a second signature according to the second random number;
and the second sending module is used for sending the second signature to the key management platform through the blockchain client.
In a fifth aspect, an embodiment of the present application further provides an electronic device, including a processor, a memory, and a program or an instruction stored in the memory and running on the processor, where the program or the instruction implements the steps in the signature verification method disclosed in the first aspect of the embodiment of the present application when executed by the processor, or the program or the instruction implements the steps in the signature verification method disclosed in the second aspect of the embodiment of the present application when executed by the processor.
In this way, in this embodiment, the key management platform sends, to the secure terminal through the blockchain client, a second data writing instruction, where the second data writing instruction includes a second random number, a first signature and ciphertext data, the first signature is a signature generated according to the first random number, and the ciphertext data is data obtained by encrypting target data, so that the ciphertext data is stored in the secure terminal, and the target data is invisible to all nodes of the blockchain, thereby achieving a technical effect of improving security of the target data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a signature verification method according to an embodiment of the present application;
FIG. 2 is a flow chart of another signature verification method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a key issuing system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a security terminal according to an embodiment of the present application;
fig. 5 is a schematic structural view of a security module according to an embodiment of the present application;
FIG. 6 is a flow chart of another signature verification method according to an embodiment of the present application;
FIG. 7 is a flow chart of another signature verification method according to an embodiment of the present application;
FIG. 8 is a schematic diagram of a key management platform according to an embodiment of the present application;
FIG. 9 is a schematic diagram of another key management platform according to an embodiment of the present application;
FIG. 10 is a schematic diagram of another key management platform according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a security terminal according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of another security terminal according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a flow chart of a signature verification method according to an embodiment of the present application, which is applied to a key management platform, as shown in fig. 1, and includes the following steps:
step 101, a first data writing instruction is sent to a security terminal through a blockchain client.
The blockchain client and the secure terminal may be in a corresponding relationship, for example: the secure terminal can be used as a trusted carrier of a blockchain user node, and sensitive data such as a corresponding key of the blockchain client can be stored in the corresponding secure terminal and is invisible to other blockchain nodes.
The first data writing instruction may be an instruction triggering the secure terminal to send a random number, for example: in the signature verification process, the key management platform can generate a first signature through a first random number generated by the secure terminal, and the secure terminal can verify the validity of the identity of the key management platform through the first signature.
Step 102, obtaining, by the blockchain client, a first random number generated by the secure terminal in response to the first data writing instruction.
Wherein the first random number may be generated by a security module in the secure terminal, the identity information (e.g., a private key) of the secure terminal may be stored in the security module, and the security module may provide signature capability.
Step 103, a second data writing instruction is sent to the secure terminal through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated according to the first random number, and the ciphertext data is obtained by encrypting target data.
The target data may be sensitive data that needs to be stored by the secure terminal, for example: sensitive data such as an identity key of the security module, a service key, a unique identifier of a data consumer, and the like. In addition, the target data may be dispersed to corresponding target data based on the secure terminal, so that the target data may form a mapping relationship with the secure terminal.
The encryption may be performed in an encryptor, for example: the key management platform is in butt joint with the encryption machine, and the actions of dispersing, generating and the like of all keys can be completed in the encryption machine, so that plaintext data cannot be exposed to the outside.
Step 104, obtaining a second signature generated by the secure terminal through the blockchain client, and verifying the second signature, wherein the second signature is generated by the secure terminal according to the second random number under the condition that the first signature passes verification.
The second signature can be used for verifying the validity of the identity of the secure terminal, and when the secure terminal verifies that the identity of the key management platform is legal through the first signature, the second signature is generated and transmitted to the key management platform, so that the key management platform and the secure terminal can be authenticated in a bidirectional mode.
In addition, when the second signature verification passes, that is, a secure channel is established between the key management platform and the secure terminal, the key management platform may repeat the above steps to realize distribution of all data.
In this embodiment, the key management platform sends, to the secure terminal through the blockchain client, a second data writing instruction, where the second data writing instruction includes a second random number, a first signature and ciphertext data, the first signature is a signature generated according to the first random number, and the ciphertext data is data obtained by encrypting target data, so that the ciphertext data is stored in the secure terminal, and the target data is invisible to all nodes of the blockchain, thereby achieving a technical effect of improving security of the target data.
In addition, the secure terminal generates the second signature according to the second random number when the first signature passes verification, and the second signature generated by the secure terminal according to the second random number when the first signature passes verification is obtained through the blockchain client, and the second signature is verified, so that the issuing of data can be completed after the legal identities of the two parties are mutually verified, and the security and confidentiality of data transmission are improved.
Optionally, before the sending, by the blockchain client, the second data writing instruction to the secure terminal, the method further includes:
acquiring a function list supported by the secure terminal through the blockchain client, and judging whether the secure terminal supports key agreement according to the function list;
under the condition that the safety terminal does not support key agreement, encrypting the target data by using a preset key to obtain the ciphertext data;
and under the condition that the secure terminal supports key negotiation, negotiating with the secure terminal to obtain a session key, and encrypting the target data by using the session key to obtain the ciphertext data.
The preset key may be a management key preset in the secure terminal, for example: when the identity authentication key and the corresponding service key in the secure terminal are loaded, the establishment of the secure channel between the key management platform and the secure terminal is completed through a preset key, so that the resource expenditure can be reduced, and the efficiency is improved.
The above determination whether the secure terminal supports key negotiation may be determined by whether a negotiation key exists in the secure terminal, for example: the private key of the negotiation key can be preset in the security module of the security terminal in the production process of the security terminal, and if the security terminal has the negotiation key, the private key of the negotiation key can be negotiated with the key management platform to obtain the session key.
In this embodiment, whether the secure terminal supports key negotiation is determined according to the function list, and the target data is encrypted by using the preset key or the session key, where when the secure terminal does not support key negotiation, the resource overhead can be reduced, and the efficiency and the user experience can be improved by using the preset key to establish a secure channel between the key management platform and the secure terminal; under the condition that the secure terminal supports key negotiation, negotiating with the secure terminal to obtain a session key, and encrypting the target data by using the session key to obtain the ciphertext data, so that the integrity and confidentiality of the data can be ensured.
Optionally, the negotiating with the secure terminal to obtain the session key includes:
sending a key negotiation instruction to the secure terminal through the blockchain client, wherein the key negotiation instruction comprises a third random number, a session key factor ciphertext and a third signature, and the session key factor ciphertext is data obtained by encrypting the generated session key factor;
receiving a fourth signature sent by the secure terminal in response to the key negotiation instruction through the blockchain client, wherein the fourth signature is a signature generated by decrypting the session key factor ciphertext to generate a session key and according to the session key and the third random number when the secure terminal verifies that the third signature passes;
and verifying the fourth signature, and acquiring the session key based on the session key factor under the condition that the fourth signature passes verification.
The session key factor encryption may be encrypted by a preset key, for example: when the secure terminal supports key agreement, the secure terminal stores a private key of an agreement key, the key management platform corresponds to a public key stored with the agreement key, and the generated session key factor ciphertext can be obtained by encrypting the generated session key factor by using the public key of the agreement key.
The fact that the fourth signature passes through the verification may be understood that the key management platform and the secure terminal have completed the negotiation, and the key management platform and the secure terminal may obtain the same session key according to the session key factor.
In the embodiment, the negotiated session key is used for encrypting the target data and calculating the signature, so that the integrity and confidentiality of the data can be ensured, and the safe issuing of the target data from the key management platform to the corresponding safe terminal of the blockchain client is realized.
Optionally, before the second data writing instruction is sent to the corresponding secure terminal through the blockchain client, the method further includes:
and acquiring the safety terminal identifier, and generating the target data according to the safety terminal identifier.
The target data may be obtained by a scatter generation method, for example: and dispersing the target data by using a method of a secure terminal identifier, a version number and a stuff byte to form a group of target data mapped by a block chain client, wherein the target data of each block chain user node is invisible to other nodes.
In this embodiment, the target data is generated by using the secure terminal identifier, so that a mapping relationship of one blockchain user node corresponding to a group of target data can be formed, different users have different encryption and decryption keys, and ciphertext data uplink to different blockchain user nodes can be decrypted under the condition of permission, thereby improving the security and confidentiality of the data.
Referring to fig. 2, fig. 2 is a flowchart of another signature verification method according to an embodiment of the present application, applied to a secure terminal, as shown in fig. 2, including the following steps:
step 201, a first data writing instruction sent by a key management platform is received through a blockchain client.
Step 202, generating a first random number in response to the first data writing instruction, and sending the first random number to the key management platform through the blockchain client.
Step 203, receiving, by the blockchain client, a second data writing instruction sent by the key management platform, where the second data writing instruction includes a second random number, a first signature and ciphertext data, the first signature is a signature generated by the key management platform according to the first random number, and the ciphertext data is data obtained by encrypting target data by the key management platform.
The key management platform can be in butt joint with the encryption machine, the encryption can be completed in the encryption machine, and the actions of dispersing, generating and the like of all keys can be completed in the encryption machine.
And 204, verifying the first signature, writing the ciphertext data in the case that the first signature passes verification, and generating a second signature according to the second random number.
Wherein the verification of the first signature may be used to verify the identity legitimacy of the key management platform, and the second signature may be used by the key management platform to verify the identity legitimacy of the secure terminal.
The writing may be to store the ciphertext data in a security module of the security terminal, for example: when the first signature passes verification, the ciphertext data may be written into the security module, and the security module may further store identity information (such as a private key) of the blockchain client or the security terminal, and provide digital signature capability, encryption and decryption hardware algorithm implementation capability, and the like.
Step 205, sending, by the blockchain client, the second signature to the key management platform.
In this embodiment, by verifying the first signature, writing the ciphertext data when the first signature passes, and sending the second signature to the key management platform through the blockchain client, the ciphertext data encrypted by the target data may be stored, so that the target data is invisible to all nodes of the blockchain, thereby achieving the technical effect of improving the security of the target data.
And the security terminal verifies the legitimacy of the identity of the key management platform through the first signature, the key management platform verifies the legitimacy of the identity of the security terminal through the second signature, and the security of data transmission can be improved through bidirectional authentication between the key management platform and the security terminal, so that the situation of a malicious party is prevented.
In addition, through the identity information of the secure terminal storage block chain client and the hardware algorithm implementation of digital signature and encryption and decryption, compared with the traditional software, TEE (Trusted Execution Environment ) and other storage and encryption and decryption algorithms, SPA (Simple power analysis ) or DPA (Differential Power Analysis, differential power analysis) and other channel attacks and physical attacks can be prevented, and higher storage security and higher algorithm execution efficiency can be realized.
Optionally, before the receiving, by the blockchain client, the second data writing instruction sent by the key management platform, the method further includes:
sending a supported function list to the key management platform through the blockchain client so that the key management platform judges whether key negotiation is supported or not according to the function list;
And under the condition of supporting key negotiation, negotiating with the key management platform to obtain a session key.
The function list may include whether the secure terminal supports a key negotiation function, for example: when the security terminal loads the identity authentication key and the corresponding service key, the security terminal cannot support the key negotiation function.
In this embodiment, under the condition of supporting key negotiation, a session key is obtained by negotiating with the key management platform, and the target data is encrypted by using the session key obtained by negotiating, so that the integrity and confidentiality of the target data can be ensured, and the safe issuing of the target data from the key management platform to the secure terminal is completed.
Optionally, the negotiating with the key management platform to obtain the session key includes:
receiving a key negotiation instruction sent by the key management platform through the blockchain client, wherein the key negotiation instruction comprises a third random number, a session key factor ciphertext and a third signature, and the session key factor ciphertext is data obtained by encrypting the generated session key factor by the key management platform;
Responding to the key negotiation instruction to verify the third signature, decrypting the session key factor ciphertext to generate a session key under the condition that the third signature passes the verification, and generating a fourth signature according to the session key and the third random number;
and sending the fourth signature to the key management platform through the blockchain client.
In the embodiment, the negotiated session key is used for encrypting the target data and calculating the signature, so that the integrity and confidentiality of the data can be ensured, and the safe issuing of the target data from the key management platform to the corresponding safe terminal of the blockchain client is realized.
Referring to fig. 3, as a specific embodiment, fig. 3 illustrates a key distribution system that may be used in the signature verification method according to an embodiment of the present application, and as shown in fig. 3, a system 300 includes a blockchain system 301, a key management platform 302, a cryptographic engine 303, a secure terminal system 304, and an identity authentication system 305.
The blockchain system 301 includes a blockchain client SDK (Software Development Kit ) and HTTP REST (Representation State Transfer, representation layer transformation) interface, and the secure terminal system 304 includes a plurality of secure terminals.
As shown in fig. 4, the security terminal is an embedded device equipped with a minimum system 401 of a baseband communication computer, a touch screen 402, a security module 403, an information acquisition module 404, a communication module 405, a power module 406, and other hardware, and running a graphical interface operating system and software. The security terminals can obtain the unique identification code of the article and the material or exchange information between the security terminals through contact or non-contact modes (camera scanning, sensing, wired connection or wireless communication and the like). The secure terminal may generate the object rights stream registration information and apply for the uplink directly to the blockchain system. The secure terminal is a registration device that both the object right transfer-out party and the object right transfer-in party should have. The baseband communication computer minimum system 401 mainly comprises a baseband chip, a radio frequency chip, a clock, a nonvolatile memory, a volatile memory and the like, and has the functions of operating an operating system management task schedule, cellular network mobile communication capability, a database, a peripheral communication interface, input/Output (IO) and the like. The touch screen 402 may be a capacitive or resistive touch screen, providing graphical display capability on the one hand, and touch control capability on the other hand. The information acquisition module 404 may include a camera, NFC (Near Field Communication ) or infrared scanning information acquisition device. The communication module 405 may provide Bluetooth, WIFI (Wireless Fidelity ) or other near field communication capabilities. The power module 406 may be comprised of a battery, a charging circuit, an interface, and the like. The security terminal is internally provided with a security module, a security unit of the security module stores identity information (such as a private key) of the security terminal and provides signature capability, and the security module is called by an interface to digitally sign input data by using the private key stored by the security module, but the private key information cannot be directly obtained by the outside through the interface; the SIM (Subscriber Identity Module ) unit of the security module 403 provides cellular network communication capabilities.
As shown in fig. 5, the security module 403 may be a minimum security computing unit including a security storage medium 4031, an MCU (Microcontroller Unit, micro control unit) 4032, control circuit logic 4033, a communication module 4034, and a display module 4035, where the security storage medium 4031 may be a FLASH Memory, a ROM (Read-Only Memory), an EEPROM (Electrically Erasable Programmable ROM, electrically erasable programmable Read Only Memory), an OTP (One Time Programmable, one-time programmable) and other nonvolatile Memory devices, and may safely store sensitive data and effectively prevent leakage. MCU4032 and control circuit logic 4033 cooperate to complete the operation of the on-chip embedded operating system to provide security services such as signature, encryption and decryption. The communication module 4034 is mainly used for interfacing with an account authority management system, providing a hardware interaction interface, and simultaneously providing power for the security module, and is mainly in the form of a USB (Universal Serial Bus ) interface. The display module 4035 may be an LCD (Liquid Crystal Display ) for prompting the current status of the security module, mainly including power-up, normal, abnormal, etc.
The key management platform 302 and the crypto machine 303 cooperate to form a complete key management system, which is a server application formed by technologies such as a background and a database and is mainly used for completing the functions of security module identification acquisition, key dispersion, key issuing, data management and the like. When the security module needs to load or update the key, the blockchain user client SDK will send a key loading or updating application, and the key management platform 302 responds to the application to complete the loading and issuing of the key after the authentication is passed through the bidirectional authentication.
The identity authentication system 305 includes an identity authentication platform and a companion security module. The identity authentication platform is a server application formed by technologies such as a Web foreground, a Web background and a database. The identity authentication system 305 provides account rights management capabilities (e.g., an administrator or operator registers the public key and ID of an authorized secure terminal to the blockchain, an administrator or operator registers the public key and ID of an authorized secure module to the blockchain, etc.); users of the authentication system 305, including administrators, roles of services (e.g., businesses and organizations of related services within a federation), etc., need to use security modules to log into the authentication system. This is because the private key and ID of the user are stored in the security module, and the user uses the private key signature when using the authentication system to perform the request; when the block chain system receives the request, the corresponding public key and ID stored in the block chain system are used for checking the signature; the request block chain passed by the verification signature is accepted.
The key management platform 302 is configured to generate 1024-bit RSA public-private key pairs as authorized public-private key pairs of the data consumer, generate a unique identifier DCID of the data consumer, and perform unified management corresponding to the unique identifier DCID stored in the database; writing the unique identification DCID, the symmetric key, the private key and the authorization valid period of the data consumer into a security module of the security terminal through an online security channel established between the blockchain client SDK and the key management platform 302; the data consumer uniquely identifies the DCID and the public key certificate and blockchain; the client SDK of the blockchain user is matched with the security module for use, the authorization valid period is checked, and if the authorization valid period is out of date, the security module is invalid. The signature verification method may include the following processes:
when the security module is started for the first time, the blockchain user client SDK inquires whether the security module has a service key or an identity authentication key, obtains inquiry information, and informs a key management center of the inquiry information;
the key management center obtains the unique identification of the security module and a function list, wherein the function list comprises whether the security module supports functions such as key negotiation or not;
according to whether a key exists, a key loading or key updating application is provided for a key management platform;
The security module receives the key update application;
the security module generates a random number SARand as a response and returns the random number SARand to the key management platform;
the key management platform selects a reasonable mode according to a function list supported by the security module to encrypt a key to form ciphertext data, meanwhile, the key management platform generates a random number SPrand, a signature is generated by using the SArand, and the ciphertext data, the SPrand and the signature data are cascaded and then the data is issued to update the security module key;
the block chain client SDK receives the issued data and then forwards the issued data to the security module, and the security module verifies the signature result of the key management platform to confirm the identity of the key management platform, and writes the key data after the verification is passed. Generating a signature by using SPRand and uploading the signature;
after receiving the signature data, the key management platform verifies and confirms whether the security module is legal, so that the steps are repeated to finish distribution and writing of all keys.
Wherein the random number SARand represents the first random number, the random number SPRand represents the second random number, the signature generated using SARand represents the first signature, and the signature generated using SPRand represents the second signature.
The blockchain user may include an operator, a financial service party, a supervisor and the like who need to view the on-chain data meeting the authority of the corresponding public key, the sensitive data of the participant need to be stored in the security module, and the sensitive data needed to be stored by the participant requires the following table:
TABLE 1
The key structure is stored in the form of 'key head+key body', the key head mainly defines key related attributes, and the key body refers to a key value. The specific definition is as follows:
TABLE 2
Key type Key ID Key version Number of key attempts Key length Key value
If the number of times of key errors exceeds the number of times of attempts, the security module is locked, an operator is required to unlock, and otherwise, the security module function cannot be normally used.
In this service, the management of symmetric keys (except the data encryption root key) is performed in a decentralized manner of root key- > subkeys, that is, the server manages the root key, and the subkeys on the security module are obtained by the root key through a certain parameter operation. The level of key dispersion and the associated requirements are as follows:
the management key must be preset in the production of the security module, the management key type includes an ISD key (the security module is a Java platform) and a master control key (the security module is a Native platform), and a two-level structure is adopted, which is described as follows:
Secondary structure: manage root key- > subkey;
dispersion parameters: dcid+version number;
the distribution of the keys of each level is shown in the following table:
TABLE 3 Table 3
Root key Key management system
Sub-key Security module
The sub-keys need to be preset in the production process of the security module, and other keys can be authorized and updated in an online and offline mode.
The locking key adopts a secondary structure, and is described as follows:
secondary structure: locking the root key- > subkeys;
dispersion parameters: seid+version number;
the distribution of the keys of each level is shown in the following table:
TABLE 4 Table 4
Root key Key management system
Sub-key Security module
The unlocking key adopts a secondary structure, and is described as follows:
secondary structure: unlocking a root key- > a subkey;
dispersion parameters: seid+version number;
the distribution of the keys of each level is shown in the following table:
TABLE 5
Root key Key management system
Sub-key Security module
The data encryption root key adopts a primary management structure, and is explained as follows:
primary structure: directly writing a root key corresponding to a data encryption key in the security chip into the security module, dispersing the root key through data SEID+version number on a chain to obtain a decryption subkey when decrypting data, and then decrypting ciphertext data on the chain;
The distribution of the keys of each level is shown in the following table:
TABLE 6
Root key Key management system
Root key Security module
The signature key is an RSA public-private key pair with 1024bit length generated by a key management system;
the distribution of the keys is shown in the following table:
TABLE 7
Private key Security module
Public key Key management system
The negotiation key is an RSA public-private key pair with 1024bit length generated by a key management system;
the distribution of the keys is shown in the following table:
TABLE 8
Private key Security module
Public key Key management system
The negotiation key is preset in the security module during the production of the security module.
The sub-key dispersion method of the symmetric key can comprise the following steps:
the dispersion parameter of the key is 16 bytes (if the key is less than 16 bytes, 0x80 is added firstly, if the key is less than 16 bytes, 0x00 to 16 bytes are added again);
for 128Bit keys, encrypting the dispersion parameters by using an ECB (Electronic Codebook, codebook) algorithm of the key corresponding algorithm by using a root key to obtain sub-keys; and for the 256Bit key, connecting the 16 byte dispersion parameters with the inverted numerical value of the parameters to form 32 byte dispersion parameters, and encrypting the dispersion parameters by adopting an ECB algorithm of the key corresponding algorithm by using a root key to obtain a subkey. For example: if the encryption key (root key) in the mobile authorization key packet is AES-128Bit key KeyRoot, the SEID of a certain security chip is 11223344556677889900, and the key version number is 01, the subkey KeySub of the security chip is obtained as follows:
Pad SEID to 16 bytes: 11223344556677889900018000000000;
calculate sub key =
AES-28-EncECB(KeyRoot)[11223344556677889900018000000000]。
The key negotiation algorithm based on the asymmetric key can comprise the following procedures:
under the condition that asymmetric keys are adopted by both parties of a session to carry out one-way negotiation, a session key calculation mode based on the asymmetric keys can be adopted to obtain the session key.
The 128Bit session key is calculated as follows:
sessionkeyenc=left 16[ HASH256[ session key factor|| 'ENC & MAC' ||security platform nonce ] ];
sessionkeymac=right 16[ HASH256[ session key factor|| 'ENC & MAC' ||security platform nonce ] ];
the 256Bit session key is calculated as follows:
sessionkeyenc=hash 256[ session key factor| 'ENC' |security platform nonce ] sessionkeymac=hash 256[ session key factor| 'MAC' |security platform nonce ];
the session key factor is 16 bytes in length, is generated by the security platform and is encrypted by a public key of the security module and transmitted to the security module; HASH256 may represent a 256-bit digest algorithm, and SHA256 may be selected according to actual conditions; LEFT16/RIGHT16 may represent the LEFT16 bytes and RIGHT16 bytes of the parameter.
As shown in fig. 6, the signature verification method may specifically include the following procedures:
The key management platform application sends a first data writing instruction to the blockchain client SDK;
the block chain client SDK sends a first data writing instruction to the security module OS;
the security module OS returns a response to the blockchain client SDK, wherein the response comprises a random number SARand;
the block chain client SDK returns a response to the key management platform application;
the key management platform application sends a data writing request message to the key management platform, wherein the data writing request message comprises a random number SARand;
the key management platform generates a second DATA writing instruction which comprises a DATA ciphertext, a random number SPRand and a signature SPMAC;
the key management platform sends a second data writing instruction to the key management platform application;
the key management platform application sends a second data writing instruction to the blockchain client SDK;
the block chain client SDK sends a second data writing instruction to the security module OS;
the security module OS verifies the identity of the key management platform and performs data writing operation;
the security module OS returns a result to the blockchain client SDK, wherein the returned result comprises a signature SAMAC;
the block chain client SDK returns a result to the key management platform application;
The key management platform application returns a result to the key management platform;
the key management platform verifies the identity of the security module OS, and the data writing is completed.
Wherein the random number satrand represents the first random number, the random number SPRand represents the second random number, the signature SPMAC represents the first signature, the signature SAMAC represents the second signature, the DATA ciphertext represents the ciphertext DATA, and when the secure terminal supports key negotiation, as shown in fig. 7, the key management platform and the secure terminal directly perform key negotiation as follows:
the key management platform generates a random number SPRand and a session key factor, encrypts the session key factor by adopting a public key of the security module to obtain a session key factor ciphertext, and calculates a signature SPMAC of the key management platform;
the key management platform sends a session key message to the key management platform application, wherein the session key message comprises a random number SPrand, a session key factor ciphertext and a signature SPMAC;
the key management platform application calls a blockchain client SDK, and sends a key negotiation instruction to the blockchain client SDK, wherein the key negotiation instruction comprises a random number SPrand, a session key factor ciphertext and a signature SPMAC;
The block chain client SDK sends a key negotiation instruction to the security module OS;
the security module OS verifies the signature SPMAC, decrypts the session key factor ciphertext and generates a session key, and calculates the signature SAMAC by adopting the session key and the random number SPrand;
the security module interface sends a response to the blockchain client SDK, wherein the response comprises a signature SAMAC;
the block chain client SDK sends a response to the key management platform application;
the key management platform application sends a response to the key management platform;
the key management platform verifies the signed SAMAC and generates the session key.
Wherein the random number SPrand represents the third random number, the public key of the security module is a public key preset in the security module to negotiate a secret key, the signature SPMAC represents the third signature, and the signature SAMAC represents the fourth signature.
The session key generated by the key management platform can be directly obtained according to the session key factor, and the session key is generated when the key management platform verifies that the signature SAMAC passes.
In this embodiment, the key management platform performs unified management and distribution of the key, and the asymmetric key pair generates and distributes the symmetric key to form a mapping relationship with the user identifier (or the security module identifier), so that the security of the data can be improved, and actions such as the distribution and generation of the key are completed in the cryptographic engine in butt joint with the key management platform, so that exposure of plaintext data can be avoided. Meanwhile, a security channel is established through a hardware security module corresponding to the block chain user node and the key management platform, and key distribution is carried out in a mode of updating keys through a security channel ciphertext, so that the security of data is ensured.
In addition, the identity information of the blockchain user or the security terminal is stored through the security module, the roles of operators of the identity authentication system such as an administrator, an authorized organization, a supervision organization and the like are explicitly provided based on the current mainstream role division of the blockchain, the identity information (such as a private key) of the blockchain user or the security terminal is stored, signature capability is provided, hardware security guarantee is provided for blockchain application, and the application scene of the blockchain can be expanded.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a key management platform according to an embodiment of the present application, and as shown in fig. 8, a key management platform 800 includes:
a first sending module 801, configured to send a first data writing instruction to a secure terminal through a blockchain client;
a first obtaining module 802, configured to obtain, by the blockchain client, a first random number generated by the secure terminal in response to the first data writing instruction;
a second sending module 803, configured to send, by using the blockchain client, a second data writing instruction to the secure terminal, where the second data writing instruction includes a second random number, a first signature, and ciphertext data, where the first signature is a signature generated according to the first random number, and the ciphertext data is data obtained by encrypting target data;
And the second obtaining module 804 is configured to obtain, by using the blockchain client, a second signature generated by the secure terminal, and verify the second signature, where the second signature is a signature generated by the secure terminal according to the second random number when the first signature passes verification.
Optionally, as shown in fig. 9, the key management platform 800 may further include:
a third obtaining module 805, configured to obtain, by using the blockchain client, a function list supported by the secure terminal, and determine, according to the function list, whether the secure terminal supports key negotiation;
a first encryption module 806, configured to encrypt, using a preset key, the target data to obtain the ciphertext data when the secure terminal does not support key negotiation;
and a second encryption module 807, configured to, in a case where the secure terminal supports key negotiation, negotiate with the secure terminal to obtain a session key, and encrypt the target data using the session key to obtain the ciphertext data.
Optionally, the negotiating with the secure terminal in the second encryption module 807 obtains a session key, including:
sending a key negotiation instruction to the secure terminal through the blockchain client, wherein the key negotiation instruction comprises a third random number, a session key factor ciphertext and a third signature, and the session key factor ciphertext is data obtained by encrypting the generated session key factor;
Receiving a fourth signature sent by the secure terminal in response to the key negotiation instruction through the blockchain client, wherein the fourth signature is a signature generated by decrypting the session key factor ciphertext to generate a session key and according to the session key and the third random number when the secure terminal verifies that the third signature passes;
and verifying the fourth signature, and acquiring the session key based on the session key factor under the condition that the fourth signature passes verification.
Optionally, as shown in fig. 10, the key management platform 800 may further include:
and a fourth obtaining module 808, configured to obtain the secure terminal identifier, and generate the target data according to the secure terminal identifier.
The key management platform 800 is capable of implementing various processes implemented by the key management platform in the method embodiment of fig. 1, and is not described herein again for the sake of avoiding repetition. The key management platform 800 may achieve the technical effect of improving data security.
Referring to fig. 11, fig. 11 is a schematic structural diagram of a security terminal according to an embodiment of the present application, and as shown in fig. 11, a security terminal 1100 includes:
a first sending module 1101, configured to receive, by a blockchain client, a first data writing instruction sent by a key management platform;
A generating module 1102, configured to generate a first random number in response to the first data writing instruction, and send the first random number to the key management platform through the blockchain client;
a receiving module 1103, configured to receive, by using the blockchain client, a second data writing instruction sent by the key management platform, where the second data writing instruction includes a second random number, a first signature, and ciphertext data, where the first signature is a signature generated by the key management platform according to the first random number, and the ciphertext data is data obtained by encrypting, by the key management platform, target data;
a verification module 1104, configured to verify the first signature, write the ciphertext data when the first signature passes through verification, and generate a second signature according to the second random number;
a second sending module 1105, configured to send the second signature to the key management platform through the blockchain client.
Optionally, as shown in fig. 12, the secure terminal 1100 may further include:
a third sending module 1106, configured to send, by the blockchain client, a supported function list to the key management platform, so that the key management platform determines whether to support key negotiation according to the function list;
A negotiation module 1107, configured to negotiate with the key management platform to obtain a session key under the condition of supporting key negotiation.
Optionally, the negotiating with the key management platform in the negotiating module 1107 obtains a session key, including:
receiving a key negotiation instruction sent by the key management platform through the blockchain client, wherein the key negotiation instruction comprises a third random number, a session key factor ciphertext and a third signature, and the session key factor ciphertext is data obtained by encrypting the generated session key factor by the key management platform;
responding to the key negotiation instruction to verify the third signature, decrypting the session key factor ciphertext to generate a session key under the condition that the third signature passes the verification, and generating a fourth signature according to the session key and the third random number;
and sending the fourth signature to the key management platform through the blockchain client.
The secure terminal 1100 is capable of implementing each process implemented by the secure terminal in the method embodiment of fig. 2, and is not described herein again to avoid repetition. The secure terminal 1100 may achieve the technical effect of improving data security.
Referring to fig. 13, an embodiment of the present application further provides an electronic device, where the electronic device 1300 includes a processor 1301, a memory 1302, and a program or an instruction stored in the memory 1302 and capable of running on the processor 1301, where the program or the instruction implements each process of the above-mentioned signature verification method embodiment when executed by the processor 1301, and the same technical effects can be achieved, and for avoiding repetition, a detailed description is omitted herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Furthermore, it should be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising several instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method of the embodiments of the present application.
The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present application and the scope of the claims, which are to be protected by the present application.

Claims (10)

1. A signature verification method, applied to a key management platform, comprising:
sending a first data writing instruction to a security terminal through a blockchain client;
acquiring a first random number generated by the secure terminal in response to the first data writing instruction through the blockchain client;
sending a second data writing instruction to the secure terminal through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated according to the first random number, and the ciphertext data is data obtained by encrypting target data;
and acquiring a second signature generated by the secure terminal through the blockchain client, and verifying the second signature, wherein the second signature is generated by the secure terminal according to the second random number under the condition that the first signature passes verification.
2. The method of claim 1, wherein prior to the sending, by the blockchain client, a second data write instruction to the secure terminal, the method further comprises:
acquiring a function list supported by the secure terminal through the blockchain client, and judging whether the secure terminal supports key agreement according to the function list;
Under the condition that the safety terminal does not support key agreement, encrypting the target data by using a preset key to obtain the ciphertext data;
and under the condition that the secure terminal supports key negotiation, negotiating with the secure terminal to obtain a session key, and encrypting the target data by using the session key to obtain the ciphertext data.
3. The method of claim 2, wherein negotiating with the secure terminal to obtain a session key comprises:
sending a key negotiation instruction to the secure terminal through the blockchain client, wherein the key negotiation instruction comprises a third random number, a session key factor ciphertext and a third signature, and the session key factor ciphertext is data obtained by encrypting the generated session key factor;
receiving a fourth signature sent by the secure terminal in response to the key negotiation instruction through the blockchain client, wherein the fourth signature is a signature generated by decrypting the session key factor ciphertext to generate a session key and according to the session key and the third random number when the secure terminal verifies that the third signature passes;
And verifying the fourth signature, and acquiring the session key based on the session key factor under the condition that the fourth signature passes verification.
4. The method of claim 1, wherein before the sending, by the blockchain client, the second data write instruction to the corresponding secure terminal, the method further comprises:
and acquiring the safety terminal identifier, and generating the target data according to the safety terminal identifier.
5. A signature verification method, applied to a secure terminal, comprising:
receiving a first data writing instruction sent by a key management platform through a blockchain client;
generating a first random number in response to the first data writing instruction, and sending the first random number to the key management platform through the blockchain client;
receiving a second data writing instruction sent by the key management platform through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated by the key management platform according to the first random number, and the ciphertext data is data obtained by encrypting target data by the key management platform;
Verifying the first signature, writing the ciphertext data under the condition that the first signature passes verification, and generating a second signature according to the second random number;
and sending the second signature to the key management platform through the blockchain client.
6. The method of claim 5, wherein prior to receiving, by the blockchain client, the second data write instruction sent by the key management platform, the method further comprises:
sending a supported function list to the key management platform through the blockchain client so that the key management platform judges whether key negotiation is supported or not according to the function list;
and under the condition of supporting key negotiation, negotiating with the key management platform to obtain a session key.
7. The method of claim 6, wherein negotiating with the key management platform to obtain a session key comprises:
receiving a key negotiation instruction sent by the key management platform through the blockchain client, wherein the key negotiation instruction comprises a third random number, a session key factor ciphertext and a third signature, and the session key factor ciphertext is data obtained by encrypting the generated session key factor by the key management platform;
Responding to the key negotiation instruction to verify the third signature, decrypting the session key factor ciphertext to generate a session key under the condition that the third signature passes the verification, and generating a fourth signature according to the session key and the third random number;
and sending the fourth signature to the key management platform through the blockchain client.
8. A key management platform, comprising:
the first sending module is used for sending a first data writing instruction to the security terminal through the blockchain client;
the first acquisition module is used for acquiring a first random number generated by the secure terminal in response to the first data writing instruction through the blockchain client;
the second sending module is used for sending a second data writing instruction to the secure terminal through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated according to the first random number, and the ciphertext data is data obtained by encrypting target data;
and the second acquisition module is used for acquiring a second signature generated by the secure terminal through the blockchain client and verifying the second signature, wherein the second signature is generated by the secure terminal according to the second random number under the condition that the first signature passes verification.
9. A secure terminal, comprising:
the first sending module is used for receiving a first data writing instruction sent by the key management platform through the blockchain client;
the generation module is used for responding to the first data writing instruction to generate a first random number, and transmitting the first random number to the key management platform through the blockchain client;
the receiving module is used for receiving a second data writing instruction sent by the key management platform through the blockchain client, wherein the second data writing instruction comprises a second random number, a first signature and ciphertext data, the first signature is a signature generated by the key management platform according to the first random number, and the ciphertext data is data obtained by encrypting target data by the key management platform;
the verification module is used for verifying the first signature, writing the ciphertext data in the case that the first signature passes verification, and generating a second signature according to the second random number;
and the second sending module is used for sending the second signature to the key management platform through the blockchain client.
10. An electronic device comprising a processor, a memory, and a program or instruction stored on the memory and running on the processor, the program or instruction when executed by the processor implementing the steps in the signature verification method of any one of claims 1 to 4, or the program or instruction when executed by the processor implementing the steps in the signature verification method of any one of claims 5 to 7.
CN202011344964.XA 2020-11-26 2020-11-26 Signature verification method, key management platform, security terminal and electronic equipment Active CN114553426B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011344964.XA CN114553426B (en) 2020-11-26 2020-11-26 Signature verification method, key management platform, security terminal and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011344964.XA CN114553426B (en) 2020-11-26 2020-11-26 Signature verification method, key management platform, security terminal and electronic equipment

Publications (2)

Publication Number Publication Date
CN114553426A CN114553426A (en) 2022-05-27
CN114553426B true CN114553426B (en) 2023-08-15

Family

ID=81659189

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011344964.XA Active CN114553426B (en) 2020-11-26 2020-11-26 Signature verification method, key management platform, security terminal and electronic equipment

Country Status (1)

Country Link
CN (1) CN114553426B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941682B (en) * 2022-10-27 2024-08-02 中国电子科技集团公司第三十研究所 Multi-platform blockchain infrastructure management method
CN116055188B (en) * 2023-01-28 2023-07-14 紫光同芯微电子有限公司 Bidirectional authentication method, bidirectional authentication device and bidirectional authentication system for equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413132A (en) * 2011-11-16 2012-04-11 北京数码视讯软件技术发展有限公司 Two-way-security-authentication-based data downloading method and system
CN104852911A (en) * 2015-04-27 2015-08-19 小米科技有限责任公司 Safety verification method, device and system
CN107888382A (en) * 2017-11-24 2018-04-06 中钞信用卡产业发展有限公司杭州区块链技术研究院 A kind of methods, devices and systems of the digital identity checking based on block chain
CN107980216A (en) * 2017-05-26 2018-05-01 深圳前海达闼云端智能科技有限公司 Communication means, device, system, electronic equipment and computer-readable recording medium
CN109076058A (en) * 2016-05-27 2018-12-21 华为技术有限公司 A kind of authentication method and device of mobile network
CN110048842A (en) * 2019-05-30 2019-07-23 全链通有限公司 Session key processing method, equipment and computer readable storage medium
CN111262852A (en) * 2020-01-14 2020-06-09 杭州趣链科技有限公司 Business card signing and issuing method and system based on block chain

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9118467B2 (en) * 2013-03-13 2015-08-25 Atmel Corporation Generating keys using secure hardware
EP3566197B1 (en) * 2018-12-21 2022-03-30 Advanced New Technologies Co., Ltd. Blockchain data protection based on generic account model and homomorphic encryption
CN114884659B (en) * 2022-07-08 2022-10-25 北京智芯微电子科技有限公司 Key agreement method, gateway, terminal device and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102413132A (en) * 2011-11-16 2012-04-11 北京数码视讯软件技术发展有限公司 Two-way-security-authentication-based data downloading method and system
CN104852911A (en) * 2015-04-27 2015-08-19 小米科技有限责任公司 Safety verification method, device and system
CN109076058A (en) * 2016-05-27 2018-12-21 华为技术有限公司 A kind of authentication method and device of mobile network
CN107980216A (en) * 2017-05-26 2018-05-01 深圳前海达闼云端智能科技有限公司 Communication means, device, system, electronic equipment and computer-readable recording medium
CN107888382A (en) * 2017-11-24 2018-04-06 中钞信用卡产业发展有限公司杭州区块链技术研究院 A kind of methods, devices and systems of the digital identity checking based on block chain
CN110048842A (en) * 2019-05-30 2019-07-23 全链通有限公司 Session key processing method, equipment and computer readable storage medium
CN111262852A (en) * 2020-01-14 2020-06-09 杭州趣链科技有限公司 Business card signing and issuing method and system based on block chain

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Bin Liu ; Lijun Xiao.Secure Digital Certificate-Based Data Access Control Scheme in Blockchain. IEEE Access .2020,全文. *

Also Published As

Publication number Publication date
CN114553426A (en) 2022-05-27

Similar Documents

Publication Publication Date Title
EP3329637B1 (en) System, apparatus and method for optimizing symmetric key cache using tickets issued by a certificate status check service provider
CN109479049B (en) System, apparatus and method for key provisioning delegation
JP4199074B2 (en) Method and apparatus for secure data communication link
CN101176295B (en) Authentication method and key generating method in wireless portable internet system
CN110800248B (en) Method for mutual symmetric authentication between a first application and a second application
US8724819B2 (en) Credential provisioning
AU2011305477B2 (en) Shared secret establishment and distribution
CN108566381A (en) A kind of security upgrading method, device, server, equipment and medium
JP7292263B2 (en) Method and apparatus for managing digital certificates
JP2004180280A (en) Method and system for adaptive authorization
CN104821933A (en) Device and method certificate generation
JP2011523520A (en) Station distributed identification method in network
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
CN105282179A (en) Family Internet of things security control method based on CPK
CN114765534B (en) Private key distribution system and method based on national secret identification cryptographic algorithm
Noh et al. Secure authentication and four-way handshake scheme for protected individual communication in public wi-fi networks
WO2022001225A1 (en) Identity credential application method, identity authentication method, device, and apparatus
CN114553426B (en) Signature verification method, key management platform, security terminal and electronic equipment
KR102355708B1 (en) Method for processing request based on user authentication using blockchain key and system applying same
CN112182627A (en) Block chain digital certificate management method and system based on mobile equipment
JP4499575B2 (en) Network security method and network security system
Yoon et al. Security enhancement scheme for mobile device using H/W cryptographic module
KR101451163B1 (en) System and method for access authentication for wireless network
CN112751664B (en) Internet of things networking method, internet of things networking device and computer readable storage medium
Nishimura et al. Secure authentication key sharing between personal mobile devices based on owner identity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant